V-38539: Enable TCP SYN cookies

Implements: blueprint security-hardening

Change-Id: I146948876064c4b59ada78e9699954ec71747742

defaults/main.yml

@@ -167,3 +167,13 @@ num_logs: 5                                       # V-38636
 ## Kernel modules
 # V-38490 - Set the line below to yes to disable usb-storage
 disable_usb_storage: no
+
+## sysctl tunables
+# ** DANGER **
+# It's strongly recommended to fully understand the effects of changing the
+# following sysctl tunables. Refer to the documentation under 'Developer
+# Notes' for each of the STIGs below before making any changes.
+# ** DANGER **
+#
+sysctl_tunable:
+  tcp_syncookies: 1                               # V-38539

doc/source/developer-notes/V-38539.rst

@@ -0,0 +1,16 @@
+The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods.
+Ubuntu 14.04 already enables SYN cookies by default, and this role will ensure
+that the default is maintained.
+
+Keep in mind, however, that high-traffic environments may require TCP
+SYN cookies to be disabled. Certain load balancers may forward requests in such
+a way that web servers may think they're being SYN flooded during peak traffic
+events. Putting well-configured hardware network devices in front of OpenStack
+environments is always recommended and this may allow some deployers to turn
+off SYN cookies within their environment.
+
+For more information on TCP SYN cookies and TCP SYN floods, refer to these
+links:
+
+* `Wikipedia: SYN flood <https://en.wikipedia.org/wiki/SYN_flood>`_
+* `Wikipedia: SYN cookies <https://en.wikipedia.org/wiki/SYN_cookies>`_

tasks/kernel.yml

@@ -48,6 +48,18 @@
     - cat3
     - V-38535
 
+# This is the default in Ubuntu 14.04
+- name: V-38539 - Enable TCP syncookies
+  sysctl:
+    name: net.ipv4.tcp_syncookies
+    value: "{{ sysctl_tunable['tcp_syncookies'] }}"
+    state: present
+    sysctl_set: yes
+  tags:
+    - kernel
+    - cat2
+    - V-38539
+
 # This is the default in Ubuntu 14.04
 - name: V-38596 - Enable virtual address space randomization
   sysctl: