2 files changed, 22 insertions, 0 deletions

diff --git a/manifests/subsystem/sysctl.pp b/manifests/subsystem/sysctl.pp
index 94fbae0..aef4278 100644
--- a/manifests/subsystem/sysctl.pp
+++ b/manifests/subsystem/sysctl.pp
@@ -1,5 +1,6 @@
 class nodo::subsystem::sysctl {
   class { 'nodo::subsystem::sysctl::disable_ipv6': }
+  class { 'nodo::subsystem::sysctl::tcp_challenge_ack_limit': }
 
   # Root exploit fix, see http://wiki.debian.org/mmap_min_addr
   # Maybe this can be remove in the future or included in a sysctl puppet module
diff --git a/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp b/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp
new file mode 100644
index 0000000..2f6c753
--- /dev/null
+++ b/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp
@@ -0,0 +1,21 @@
+# http://www.isssource.com/fixing-an-internet-security-threat/
+# https://access.redhat.com/security/vulnerabilities/challengeack
+# http://coolnerd.co/2016/08/researchers-announce-linux-kernel-network-snooping-bug-naked-security/
+# https://nakedsecurity.sophos.com/2016/08/12/researchers-announce-linux-kernel-network-snooping-bug/
+class nodo::subsystem::sysctl::tcp_challenge_ack_limit(
+  $ensure = hiera('nodo::sysctl::tcp_challenge_ack_limit', 'present'),
+) {
+  file { "/etc/sysctl.d/tcp_challenge_ack_limit.conf":
+    owner   => "root",
+    group   => "root",
+    mode    => 0644,
+    ensure  => $ensure,
+    content => "net.ipv4.tcp_challenge_ack_limit = 999999999\n",
+  }
+
+  exec { "sysctl-tcp_challenge_ack_limit":
+    command     => '/sbin/sysctl -p',
+    subscribe   => File["/etc/sysctl.d/tcp_challenge_ack_limit.conf"],
+    refreshonly => true,
+  }
+}