From 403e7584ff6f0726d13151075d36d8cba8795b16 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 10 Sep 2016 15:52:39 -0300 Subject: Adds nodo::subsystem::sysctl::tcp_challenge_ack_limit --- manifests/subsystem/sysctl.pp | 1 + .../subsystem/sysctl/tcp_challenge_ack_limit.pp | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp (limited to 'manifests/subsystem') diff --git a/manifests/subsystem/sysctl.pp b/manifests/subsystem/sysctl.pp index 94fbae0..aef4278 100644 --- a/manifests/subsystem/sysctl.pp +++ b/manifests/subsystem/sysctl.pp @@ -1,5 +1,6 @@ class nodo::subsystem::sysctl { class { 'nodo::subsystem::sysctl::disable_ipv6': } + class { 'nodo::subsystem::sysctl::tcp_challenge_ack_limit': } # Root exploit fix, see http://wiki.debian.org/mmap_min_addr # Maybe this can be remove in the future or included in a sysctl puppet module diff --git a/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp b/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp new file mode 100644 index 0000000..2f6c753 --- /dev/null +++ b/manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp @@ -0,0 +1,21 @@ +# http://www.isssource.com/fixing-an-internet-security-threat/ +# https://access.redhat.com/security/vulnerabilities/challengeack +# http://coolnerd.co/2016/08/researchers-announce-linux-kernel-network-snooping-bug-naked-security/ +# https://nakedsecurity.sophos.com/2016/08/12/researchers-announce-linux-kernel-network-snooping-bug/ +class nodo::subsystem::sysctl::tcp_challenge_ack_limit( + $ensure = hiera('nodo::sysctl::tcp_challenge_ack_limit', 'present'), +) { + file { "/etc/sysctl.d/tcp_challenge_ack_limit.conf": + owner => "root", + group => "root", + mode => 0644, + ensure => $ensure, + content => "net.ipv4.tcp_challenge_ack_limit = 999999999\n", + } + + exec { "sysctl-tcp_challenge_ack_limit": + command => '/sbin/sysctl -p', + subscribe => File["/etc/sysctl.d/tcp_challenge_ack_limit.conf"], + refreshonly => true, + } +} -- cgit v1.2.3