--- # Copyright 2015, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: V-38528 - The system must log martian packets sysctl: name: net.ipv4.conf.all.log_martians value: 1 state: present sysctl_set: yes tags: - kernel - cat3 - V-38528 # This is the default in Ubuntu 14.04 - name: V-38537 - The system must ignore ICMPv4 bogus error responses sysctl: name: net.ipv4.icmp_ignore_bogus_error_responses value: 1 state: present sysctl_set: yes tags: - kernel - cat3 - V-38537 # This is the default in Ubuntu 14.04 - name: V-38535 - The system must not respond to ICMPv4 sent to the broadcast address sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts value: 1 state: present sysctl_set: yes tags: - kernel - cat3 - V-38535 # This is the default in Ubuntu 14.04 - name: V-38539 - Enable TCP syncookies sysctl: name: net.ipv4.tcp_syncookies value: "{{ security_sysctl_tcp_syncookies }}" state: present sysctl_set: yes tags: - kernel - cat2 - V-38539 # This is the default in Ubuntu 14.04 - name: V-38596 - Enable virtual address space randomization sysctl: name: kernel.randomize_va_space value: 2 state: present sysctl_set: yes tags: - kernel - cat2 - V-38596 - name: V-38600 - Disable sending ICMPv4 redirects sysctl: name: net.ipv4.conf.default.send_redirects value: 0 state: present sysctl_set: yes tags: - kernel - cat2 - V-38600 - name: V-38601 - Disable sending ICMPv4 redirects on all interfaces sysctl: name: net.ipv4.conf.all.send_redirects value: 0 state: present sysctl_set: yes tags: - kernel - cat2 - V-38601 - name: V-38490 - Disable usb-storage module lineinfile: dest: /etc/modprobe.d/V-38490-disable-usb-storage.conf line: "install usb-storage /bin/true" create: yes when: security_disable_module_usb_storage | bool tags: - kernel - cat2 - V-38490 - name: V-38514 - Disable DCCP lineinfile: dest: /etc/modprobe.d/V-38514-disable-dccp.conf line: "install dccp /bin/true" create: yes when: security_disable_module_dccp | bool tags: - kernel - cat2 - V-38514 - name: V-38515 - Disable SCTP lineinfile: dest: /etc/modprobe.d/V-38515-disable-sctp.conf line: "install sctp /bin/true" create: yes when: security_disable_module_sctp | bool tags: - kernel - cat2 - V-38515 - name: V-38516 - Disable RDS lineinfile: dest: /etc/modprobe.d/V-38516-disable-rds.conf line: "install rds /bin/true" create: yes when: security_disable_module_rds | bool tags: - kernel - cat3 - V-38516 - name: V-38517 - Disable TIPC lineinfile: dest: /etc/modprobe.d/V-38517-disable-tipc.conf line: "install tipc /bin/true" create: yes when: security_disable_module_tipc | bool tags: - kernel - cat2 - V-38517 - name: Disable IPv6 sysctl: name: "{{ item }}" value: 1 state: present sysctl_set: yes with_items: - net.ipv6.conf.all.disable_ipv6 - net.ipv6.conf.default.disable_ipv6 when: disable_ipv6 | bool tags: - kernel - cat2 - V-38546 - name: V-38682 - Disable bluetooth module copy: src: V-38682-modprobe.conf dest: /etc/modprobe.d/disable-bluetooth.conf when: security_disable_module_bluetooth | bool tags: - kernel - cat2 - V-38682