Merge "Adjust TCP syncookes variable to bool"

defaults/main.yml

@@ -221,7 +221,7 @@ security_disable_icmpv4_redirects: no             # V-38524
 # Notes' for each of the STIGs below before making any changes.
 # ** DANGER **
 #
-security_sysctl_tcp_syncookies: 1                 # V-38539
+security_sysctl_enable_tcp_syncookies: yes        # V-38539
 #
 # Deployers who wish to disable IPv6 entirely must set this configuration
 # variable to 'yes'. See the documentation for V-38546 before making this

doc/source/stig-notes/V-38539_developer.rst

@@ -1,22 +1,21 @@
 The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods.
-Ubuntu 14.04 already enables SYN cookies by default, and this role will ensure
-that the default is maintained.
 
-Keep in mind, however, that high-traffic environments may require TCP
-SYN cookies to be disabled. Certain load balancers may forward requests in such
-a way that web servers may think they're being SYN flooded during peak traffic
-events. Putting well-configured hardware network devices in front of OpenStack
-environments is always recommended and this may allow some deployers to turn
-off SYN cookies within their environment.
+Note that high-traffic environments may require TCP SYN cookies to be disabled.
+Certain load balancers may forward requests in such a way that web servers may
+think they're being SYN flooded during peak traffic events. Putting well-
+configured hardware network devices in front of OpenStack environments is
+always recommended and this may allow some deployers to turn off SYN cookies
+within their environment.
 
 Deployers can disable TCP SYN cookies by setting an Ansible variable:
 
 .. code-block:: yaml
 
-    security_sysctl_tcp_syncookies: 0
+    security_sysctl_enable_tcp_syncookies: no
 
-For more information on TCP SYN cookies and TCP SYN floods, refer to these
-links:
+Most operating systems, such as Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 have
+TCP syncookies enabled by default upon installation.  For more information on
+TCP SYN cookies and TCP SYN floods, refer to these links:
 
 * `Wikipedia: SYN flood <https://en.wikipedia.org/wiki/SYN_flood>`_
 * `Wikipedia: SYN cookies <https://en.wikipedia.org/wiki/SYN_cookies>`_

releasenotes/notes/enable-tcp-syncookes-boolean-4a884a66a3a0e4d7.yaml

@@ -0,0 +1,11 @@
+---
+upgrade:
+  - |
+    The variable ``security_sysctl_enable_tcp_syncookies`` has replaced
+    ``security_sysctl_tcp_syncookies`` and it is now a boolean instead of an
+    integer.  It is still enabled by default, but deployers can disable TCP
+    syncookies by setting the following Ansible variable:
+
+    .. code-block:: yaml
+
+       security_sysctl_enable_tcp_syncookies: no

tasks/kernel.yml

@@ -48,11 +48,10 @@
     - cat3
     - V-38535
 
-# This is the default in Ubuntu 14.04
 - name: V-38539 - Enable TCP syncookies
   sysctl:
     name: net.ipv4.tcp_syncookies
-    value: "{{ security_sysctl_tcp_syncookies }}"
+    value: "{{ (security_sysctl_enable_tcp_syncookies | bool) | ternary('1', '0') }}"
     state: present
     sysctl_set: yes
   tags: