diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2016-09-10 15:52:39 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2016-09-10 15:52:39 -0300 |
commit | 403e7584ff6f0726d13151075d36d8cba8795b16 (patch) | |
tree | bca18bb66cb1bec9267bcec9fcc1d1e96bbb0367 | |
parent | 36c8650989c02ba7f0559679a8a9ef9877e2d267 (diff) | |
download | puppet-nodo-403e7584ff6f0726d13151075d36d8cba8795b16.tar.gz puppet-nodo-403e7584ff6f0726d13151075d36d8cba8795b16.tar.bz2 |
Adds nodo::subsystem::sysctl::tcp_challenge_ack_limit
-rw-r--r-- | manifests/subsystem/sysctl.pp | 1 | ||||
-rw-r--r-- | manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp | 21 |
2 files changed, 22 insertions, 0 deletions
diff --git a/manifests/subsystem/sysctl.pp b/manifests/subsystem/sysctl.pp index 94fbae0..aef4278 100644 --- a/manifests/subsystem/sysctl.pp +++ b/manifests/subsystem/sysctl.pp @@ -1,5 +1,6 @@ class nodo::subsystem::sysctl { class { 'nodo::subsystem::sysctl::disable_ipv6': } + class { 'nodo::subsystem::sysctl::tcp_challenge_ack_limit': } # Root exploit fix, see http://wiki.debian.org/mmap_min_addr # Maybe this can be remove in the future or included in a sysctl puppet module diff --git a/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp b/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp new file mode 100644 index 0000000..2f6c753 --- /dev/null +++ b/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp @@ -0,0 +1,21 @@ +# http://www.isssource.com/fixing-an-internet-security-threat/ +# https://access.redhat.com/security/vulnerabilities/challengeack +# http://coolnerd.co/2016/08/researchers-announce-linux-kernel-network-snooping-bug-naked-security/ +# https://nakedsecurity.sophos.com/2016/08/12/researchers-announce-linux-kernel-network-snooping-bug/ +class nodo::subsystem::sysctl::tcp_challenge_ack_limit( + $ensure = hiera('nodo::sysctl::tcp_challenge_ack_limit', 'present'), +) { + file { "/etc/sysctl.d/tcp_challenge_ack_limit.conf": + owner => "root", + group => "root", + mode => 0644, + ensure => $ensure, + content => "net.ipv4.tcp_challenge_ack_limit = 999999999\n", + } + + exec { "sysctl-tcp_challenge_ack_limit": + command => '/sbin/sysctl -p', + subscribe => File["/etc/sysctl.d/tcp_challenge_ack_limit.conf"], + refreshonly => true, + } +} |