Adjust TCP syncookes variable to bool

This patch changes the TCP syncookies variable to a boolean rather than an integer to reduce confusion. It is still enabled by default and the variable's name has changed: From: security_sysctl_tcp_syncookies To: security_sysctl_enable_tcp_syncookies Change-Id: I0120683963c968cf83d38e4df55f2094f74425fb
2016-08-09 08:29:31 -05:00 · 2016-08-09 08:29:31 -05:00 · 43c81ebcb1
commit 43c81ebcb1
parent fbd64ccc66
4 changed files with 23 additions and 14 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -221,7 +221,7 @@ security_disable_icmpv4_redirects: no             # V-38524
 # Notes' for each of the STIGs below before making any changes.
 # ** DANGER **
 #
-security_sysctl_tcp_syncookies: 1                 # V-38539
+security_sysctl_enable_tcp_syncookies: yes        # V-38539
 #
 # Deployers who wish to disable IPv6 entirely must set this configuration
 # variable to 'yes'. See the documentation for V-38546 before making this
--- a/doc/source/stig-notes/V-38539_developer.rst
+++ b/doc/source/stig-notes/V-38539_developer.rst
@ -1,22 +1,21 @@
 The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods.
-Ubuntu 14.04 already enables SYN cookies by default, and this role will ensure
-that the default is maintained.

-Keep in mind, however, that high-traffic environments may require TCP
-SYN cookies to be disabled. Certain load balancers may forward requests in such
-a way that web servers may think they're being SYN flooded during peak traffic
-events. Putting well-configured hardware network devices in front of OpenStack
-environments is always recommended and this may allow some deployers to turn
-off SYN cookies within their environment.
+Note that high-traffic environments may require TCP SYN cookies to be disabled.
+Certain load balancers may forward requests in such a way that web servers may
+think they're being SYN flooded during peak traffic events. Putting well-
+configured hardware network devices in front of OpenStack environments is
+always recommended and this may allow some deployers to turn off SYN cookies
+within their environment.

 Deployers can disable TCP SYN cookies by setting an Ansible variable:

 .. code-block:: yaml

-    security_sysctl_tcp_syncookies: 0
+    security_sysctl_enable_tcp_syncookies: no

-For more information on TCP SYN cookies and TCP SYN floods, refer to these
-links:
+Most operating systems, such as Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 have
+TCP syncookies enabled by default upon installation.  For more information on
+TCP SYN cookies and TCP SYN floods, refer to these links:

 * `Wikipedia: SYN flood <https://en.wikipedia.org/wiki/SYN_flood>`_
 * `Wikipedia: SYN cookies <https://en.wikipedia.org/wiki/SYN_cookies>`_
--- a/releasenotes/notes/enable-tcp-syncookes-boolean-4a884a66a3a0e4d7.yaml
+++ b/releasenotes/notes/enable-tcp-syncookes-boolean-4a884a66a3a0e4d7.yaml
@ -0,0 +1,11 @@
+---
+upgrade:
+  - |
+    The variable ``security_sysctl_enable_tcp_syncookies`` has replaced
+    ``security_sysctl_tcp_syncookies`` and it is now a boolean instead of an
+    integer.  It is still enabled by default, but deployers can disable TCP
+    syncookies by setting the following Ansible variable:
+
+    .. code-block:: yaml
+
+       security_sysctl_enable_tcp_syncookies: no
--- a/tasks/kernel.yml
+++ b/tasks/kernel.yml
@ -48,11 +48,10 @@
    - cat3
    - V-38535

-# This is the default in Ubuntu 14.04
 - name: V-38539 - Enable TCP syncookies
  sysctl:
    name: net.ipv4.tcp_syncookies
-    value: "{{ security_sysctl_tcp_syncookies }}"
+    value: "{{ (security_sysctl_enable_tcp_syncookies | bool) | ternary('1', '0') }}"
    state: present
    sysctl_set: yes
  tags: