Merge "Add workaround for CVE-2016-5696"

defaults/main.yml

@@ -228,6 +228,10 @@ security_sysctl_enable_tcp_syncookies: yes        # V-38539
 # change.
 security_disable_ipv6: no                         # V-38546
 
+# Sets the global challenge ACK counter to a large value such
+# that a potential attacker could not reasonably come up against it.
+security_set_tcp_challenge_ack_limit: yes    # CVE-2016-5696
+
 ## Mail
 # The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will
 # configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when

doc/source/developer-notes/CVE-2016-5696.rst

@@ -0,0 +1,11 @@
+This task in the security role will set the global challenge ACK counter
+to a large value to protect systems for a vulnerability in TCP stack
+implementation of the Linux kernel (`CVE-2016-5696`_).
+
+To opt-out of this change, adjust the following variable:
+
+.. code-block:: yaml
+
+    security_set_tcp_challenge_ack_limit: no
+
+.. _CVE-2016-5696: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696

tasks/kernel.yml

@@ -184,3 +184,15 @@
     - kernel
     - cat2
     - V-38524
+
+- name: CVE-2016-5696 - Sets the global challenge ACK counter to a large value
+  sysctl:
+    name: net.ipv4.tcp_challenge_ack_limit
+    value: 1073741823
+    state: present
+    sysctl_set: yes
+  when: security_set_tcp_challenge_ack_limit | bool
+  tags:
+    - kernel
+    - cat3
+    - CVE-2016-5696