Add workaround for CVE-2016-5696

Change-Id: Ie43c4e354b3c5aeea5b2cc65b9e0296c077148cf
2016-08-13 17:15:10 +02:00
parent cc01563a1c
commit 1625f2a11c
3 changed files with 27 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -224,6 +224,10 @@ security_sysctl_tcp_syncookies: 1                 # V-38539
 # change.
 security_disable_ipv6: no                         # V-38546

+# Sets the global challenge ACK counter to a large value such
+# that a potential attacker could not reasonably come up against it.
+security_set_tcp_challenge_ack_limit: yes    # CVE-2016-5696
+
 ## Mail
 # The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will
 # configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when