Merge "Add workaround for CVE-2016-5696"
This commit is contained in:
commit
c92262f558
|
@ -228,6 +228,10 @@ security_sysctl_enable_tcp_syncookies: yes # V-38539
|
|||
# change.
|
||||
security_disable_ipv6: no # V-38546
|
||||
|
||||
# Sets the global challenge ACK counter to a large value such
|
||||
# that a potential attacker could not reasonably come up against it.
|
||||
security_set_tcp_challenge_ack_limit: yes # CVE-2016-5696
|
||||
|
||||
## Mail
|
||||
# The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will
|
||||
# configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
This task in the security role will set the global challenge ACK counter
|
||||
to a large value to protect systems for a vulnerability in TCP stack
|
||||
implementation of the Linux kernel (`CVE-2016-5696`_).
|
||||
|
||||
To opt-out of this change, adjust the following variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_set_tcp_challenge_ack_limit: no
|
||||
|
||||
.. _CVE-2016-5696: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696
|
|
@ -184,3 +184,15 @@
|
|||
- kernel
|
||||
- cat2
|
||||
- V-38524
|
||||
|
||||
- name: CVE-2016-5696 - Sets the global challenge ACK counter to a large value
|
||||
sysctl:
|
||||
name: net.ipv4.tcp_challenge_ack_limit
|
||||
value: 1073741823
|
||||
state: present
|
||||
sysctl_set: yes
|
||||
when: security_set_tcp_challenge_ack_limit | bool
|
||||
tags:
|
||||
- kernel
|
||||
- cat3
|
||||
- CVE-2016-5696
|
||||
|
|
Loading…
Reference in New Issue