Merge "Add workaround for CVE-2016-5696"
This commit is contained in:
commit
c92262f558
|
@ -228,6 +228,10 @@ security_sysctl_enable_tcp_syncookies: yes # V-38539
|
||||||
# change.
|
# change.
|
||||||
security_disable_ipv6: no # V-38546
|
security_disable_ipv6: no # V-38546
|
||||||
|
|
||||||
|
# Sets the global challenge ACK counter to a large value such
|
||||||
|
# that a potential attacker could not reasonably come up against it.
|
||||||
|
security_set_tcp_challenge_ack_limit: yes # CVE-2016-5696
|
||||||
|
|
||||||
## Mail
|
## Mail
|
||||||
# The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will
|
# The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will
|
||||||
# configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when
|
# configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
This task in the security role will set the global challenge ACK counter
|
||||||
|
to a large value to protect systems for a vulnerability in TCP stack
|
||||||
|
implementation of the Linux kernel (`CVE-2016-5696`_).
|
||||||
|
|
||||||
|
To opt-out of this change, adjust the following variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
security_set_tcp_challenge_ack_limit: no
|
||||||
|
|
||||||
|
.. _CVE-2016-5696: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696
|
|
@ -184,3 +184,15 @@
|
||||||
- kernel
|
- kernel
|
||||||
- cat2
|
- cat2
|
||||||
- V-38524
|
- V-38524
|
||||||
|
|
||||||
|
- name: CVE-2016-5696 - Sets the global challenge ACK counter to a large value
|
||||||
|
sysctl:
|
||||||
|
name: net.ipv4.tcp_challenge_ack_limit
|
||||||
|
value: 1073741823
|
||||||
|
state: present
|
||||||
|
sysctl_set: yes
|
||||||
|
when: security_set_tcp_challenge_ack_limit | bool
|
||||||
|
tags:
|
||||||
|
- kernel
|
||||||
|
- cat3
|
||||||
|
- CVE-2016-5696
|
||||||
|
|
Loading…
Reference in New Issue