diff --git a/defaults/main.yml b/defaults/main.yml index e82a63b1..6f70a1e2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -221,7 +221,7 @@ security_disable_icmpv4_redirects: no # V-38524 # Notes' for each of the STIGs below before making any changes. # ** DANGER ** # -security_sysctl_tcp_syncookies: 1 # V-38539 +security_sysctl_enable_tcp_syncookies: yes # V-38539 # # Deployers who wish to disable IPv6 entirely must set this configuration # variable to 'yes'. See the documentation for V-38546 before making this diff --git a/doc/source/stig-notes/V-38539_developer.rst b/doc/source/stig-notes/V-38539_developer.rst index bc97ce98..9098a259 100644 --- a/doc/source/stig-notes/V-38539_developer.rst +++ b/doc/source/stig-notes/V-38539_developer.rst @@ -1,22 +1,21 @@ The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods. -Ubuntu 14.04 already enables SYN cookies by default, and this role will ensure -that the default is maintained. -Keep in mind, however, that high-traffic environments may require TCP -SYN cookies to be disabled. Certain load balancers may forward requests in such -a way that web servers may think they're being SYN flooded during peak traffic -events. Putting well-configured hardware network devices in front of OpenStack -environments is always recommended and this may allow some deployers to turn -off SYN cookies within their environment. +Note that high-traffic environments may require TCP SYN cookies to be disabled. +Certain load balancers may forward requests in such a way that web servers may +think they're being SYN flooded during peak traffic events. Putting well- +configured hardware network devices in front of OpenStack environments is +always recommended and this may allow some deployers to turn off SYN cookies +within their environment. Deployers can disable TCP SYN cookies by setting an Ansible variable: .. code-block:: yaml - security_sysctl_tcp_syncookies: 0 + security_sysctl_enable_tcp_syncookies: no -For more information on TCP SYN cookies and TCP SYN floods, refer to these -links: +Most operating systems, such as Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 have +TCP syncookies enabled by default upon installation. For more information on +TCP SYN cookies and TCP SYN floods, refer to these links: * `Wikipedia: SYN flood `_ * `Wikipedia: SYN cookies `_ diff --git a/releasenotes/notes/enable-tcp-syncookes-boolean-4a884a66a3a0e4d7.yaml b/releasenotes/notes/enable-tcp-syncookes-boolean-4a884a66a3a0e4d7.yaml new file mode 100644 index 00000000..768ce47e --- /dev/null +++ b/releasenotes/notes/enable-tcp-syncookes-boolean-4a884a66a3a0e4d7.yaml @@ -0,0 +1,11 @@ +--- +upgrade: + - | + The variable ``security_sysctl_enable_tcp_syncookies`` has replaced + ``security_sysctl_tcp_syncookies`` and it is now a boolean instead of an + integer. It is still enabled by default, but deployers can disable TCP + syncookies by setting the following Ansible variable: + + .. code-block:: yaml + + security_sysctl_enable_tcp_syncookies: no diff --git a/tasks/kernel.yml b/tasks/kernel.yml index 2d901c00..096e0b1c 100644 --- a/tasks/kernel.yml +++ b/tasks/kernel.yml @@ -48,11 +48,10 @@ - cat3 - V-38535 -# This is the default in Ubuntu 14.04 - name: V-38539 - Enable TCP syncookies sysctl: name: net.ipv4.tcp_syncookies - value: "{{ security_sysctl_tcp_syncookies }}" + value: "{{ (security_sysctl_enable_tcp_syncookies | bool) | ternary('1', '0') }}" state: present sysctl_set: yes tags: