diff options
| -rw-r--r-- | manifests/subsystem/sysctl.pp | 1 | ||||
| -rw-r--r-- | manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp | 21 |
2 files changed, 22 insertions, 0 deletions
diff --git a/manifests/subsystem/sysctl.pp b/manifests/subsystem/sysctl.pp index 94fbae0..aef4278 100644 --- a/manifests/subsystem/sysctl.pp +++ b/manifests/subsystem/sysctl.pp @@ -1,5 +1,6 @@ class nodo::subsystem::sysctl { class { 'nodo::subsystem::sysctl::disable_ipv6': } + class { 'nodo::subsystem::sysctl::tcp_challenge_ack_limit': } # Root exploit fix, see http://wiki.debian.org/mmap_min_addr # Maybe this can be remove in the future or included in a sysctl puppet module diff --git a/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp b/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp new file mode 100644 index 0000000..2f6c753 --- /dev/null +++ b/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp @@ -0,0 +1,21 @@ +# http://www.isssource.com/fixing-an-internet-security-threat/ +# https://access.redhat.com/security/vulnerabilities/challengeack +# http://coolnerd.co/2016/08/researchers-announce-linux-kernel-network-snooping-bug-naked-security/ +# https://nakedsecurity.sophos.com/2016/08/12/researchers-announce-linux-kernel-network-snooping-bug/ +class nodo::subsystem::sysctl::tcp_challenge_ack_limit( + $ensure = hiera('nodo::sysctl::tcp_challenge_ack_limit', 'present'), +) { + file { "/etc/sysctl.d/tcp_challenge_ack_limit.conf": + owner => "root", + group => "root", + mode => 0644, + ensure => $ensure, + content => "net.ipv4.tcp_challenge_ack_limit = 999999999\n", + } + + exec { "sysctl-tcp_challenge_ack_limit": + command => '/sbin/sysctl -p', + subscribe => File["/etc/sysctl.d/tcp_challenge_ack_limit.conf"], + refreshonly => true, + } +} |