manifests/subsystem/sysctl/tcp_challenge_ack_limit.pp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

# http://www.isssource.com/fixing-an-internet-security-threat/
# https://access.redhat.com/security/vulnerabilities/challengeack
# http://coolnerd.co/2016/08/researchers-announce-linux-kernel-network-snooping-bug-naked-security/
# https://nakedsecurity.sophos.com/2016/08/12/researchers-announce-linux-kernel-network-snooping-bug/
class nodo::subsystem::sysctl::tcp_challenge_ack_limit(
  $ensure = hiera('nodo::sysctl::tcp_challenge_ack_limit', 'present'),
) {
  file { "/etc/sysctl.d/tcp_challenge_ack_limit.conf":
    owner   => "root",
    group   => "root",
    mode    => '0644',
    ensure  => $ensure,
    content => "net.ipv4.tcp_challenge_ack_limit = 999999999\n",
  }

  exec { "sysctl-tcp_challenge_ack_limit":
    command     => '/sbin/sysctl -p',
    subscribe   => File["/etc/sysctl.d/tcp_challenge_ack_limit.conf"],
    refreshonly => true,
  }
}