aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2016-09-10 15:52:39 -0300
committerSilvio Rhatto <rhatto@riseup.net>2016-09-10 15:52:39 -0300
commit403e7584ff6f0726d13151075d36d8cba8795b16 (patch)
treebca18bb66cb1bec9267bcec9fcc1d1e96bbb0367
parent36c8650989c02ba7f0559679a8a9ef9877e2d267 (diff)
downloadpuppet-nodo-403e7584ff6f0726d13151075d36d8cba8795b16.tar.gz
puppet-nodo-403e7584ff6f0726d13151075d36d8cba8795b16.tar.bz2
Adds nodo::subsystem::sysctl::tcp_challenge_ack_limit
-rw-r--r--manifests/subsystem/sysctl.pp1
-rw-r--r--manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp21
2 files changed, 22 insertions, 0 deletions
diff --git a/manifests/subsystem/sysctl.pp b/manifests/subsystem/sysctl.pp
index 94fbae0..aef4278 100644
--- a/manifests/subsystem/sysctl.pp
+++ b/manifests/subsystem/sysctl.pp
@@ -1,5 +1,6 @@
class nodo::subsystem::sysctl {
class { 'nodo::subsystem::sysctl::disable_ipv6': }
+ class { 'nodo::subsystem::sysctl::tcp_challenge_ack_limit': }
# Root exploit fix, see http://wiki.debian.org/mmap_min_addr
# Maybe this can be remove in the future or included in a sysctl puppet module
diff --git a/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp b/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp
new file mode 100644
index 0000000..2f6c753
--- /dev/null
+++ b/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp
@@ -0,0 +1,21 @@
+# http://www.isssource.com/fixing-an-internet-security-threat/
+# https://access.redhat.com/security/vulnerabilities/challengeack
+# http://coolnerd.co/2016/08/researchers-announce-linux-kernel-network-snooping-bug-naked-security/
+# https://nakedsecurity.sophos.com/2016/08/12/researchers-announce-linux-kernel-network-snooping-bug/
+class nodo::subsystem::sysctl::tcp_challenge_ack_limit(
+ $ensure = hiera('nodo::sysctl::tcp_challenge_ack_limit', 'present'),
+) {
+ file { "/etc/sysctl.d/tcp_challenge_ack_limit.conf":
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => $ensure,
+ content => "net.ipv4.tcp_challenge_ack_limit = 999999999\n",
+ }
+
+ exec { "sysctl-tcp_challenge_ack_limit":
+ command => '/sbin/sysctl -p',
+ subscribe => File["/etc/sysctl.d/tcp_challenge_ack_limit.conf"],
+ refreshonly => true,
+ }
+}