diff options
Diffstat (limited to 'manifests/subsystem/sysctl')
| -rw-r--r-- | manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp b/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp new file mode 100644 index 0000000..2f6c753 --- /dev/null +++ b/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp @@ -0,0 +1,21 @@ +# http://www.isssource.com/fixing-an-internet-security-threat/ +# https://access.redhat.com/security/vulnerabilities/challengeack +# http://coolnerd.co/2016/08/researchers-announce-linux-kernel-network-snooping-bug-naked-security/ +# https://nakedsecurity.sophos.com/2016/08/12/researchers-announce-linux-kernel-network-snooping-bug/ +class nodo::subsystem::sysctl::tcp_challenge_ack_limit( + $ensure = hiera('nodo::sysctl::tcp_challenge_ack_limit', 'present'), +) { + file { "/etc/sysctl.d/tcp_challenge_ack_limit.conf": + owner => "root", + group => "root", + mode => 0644, + ensure => $ensure, + content => "net.ipv4.tcp_challenge_ack_limit = 999999999\n", + } + + exec { "sysctl-tcp_challenge_ack_limit": + command => '/sbin/sysctl -p', + subscribe => File["/etc/sysctl.d/tcp_challenge_ack_limit.conf"], + refreshonly => true, + } +} |