From 489f64a518751a7d87a65bc73e3b0846083ce75c Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Wed, 7 Oct 2015 16:02:20 -0500
Subject: [PATCH] V-38539: Enable TCP SYN cookies

Implements: blueprint security-hardening

Change-Id: I146948876064c4b59ada78e9699954ec71747742
---
 defaults/main.yml                      | 10 ++++++++++
 doc/source/developer-notes/V-38539.rst | 16 ++++++++++++++++
 tasks/kernel.yml                       | 12 ++++++++++++
 3 files changed, 38 insertions(+)
 create mode 100644 doc/source/developer-notes/V-38539.rst

diff --git a/defaults/main.yml b/defaults/main.yml
index def78886..4a90cd8a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -167,3 +167,13 @@ num_logs: 5                                       # V-38636
 ## Kernel modules
 # V-38490 - Set the line below to yes to disable usb-storage
 disable_usb_storage: no
+
+## sysctl tunables
+# ** DANGER **
+# It's strongly recommended to fully understand the effects of changing the
+# following sysctl tunables. Refer to the documentation under 'Developer
+# Notes' for each of the STIGs below before making any changes.
+# ** DANGER **
+#
+sysctl_tunable:
+  tcp_syncookies: 1                               # V-38539
diff --git a/doc/source/developer-notes/V-38539.rst b/doc/source/developer-notes/V-38539.rst
new file mode 100644
index 00000000..4c066ea1
--- /dev/null
+++ b/doc/source/developer-notes/V-38539.rst
@@ -0,0 +1,16 @@
+The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods.
+Ubuntu 14.04 already enables SYN cookies by default, and this role will ensure
+that the default is maintained.
+
+Keep in mind, however, that high-traffic environments may require TCP
+SYN cookies to be disabled. Certain load balancers may forward requests in such
+a way that web servers may think they're being SYN flooded during peak traffic
+events. Putting well-configured hardware network devices in front of OpenStack
+environments is always recommended and this may allow some deployers to turn
+off SYN cookies within their environment.
+
+For more information on TCP SYN cookies and TCP SYN floods, refer to these
+links:
+
+* `Wikipedia: SYN flood <https://en.wikipedia.org/wiki/SYN_flood>`_
+* `Wikipedia: SYN cookies <https://en.wikipedia.org/wiki/SYN_cookies>`_
diff --git a/tasks/kernel.yml b/tasks/kernel.yml
index 1e2aa39c..e8ad39a9 100644
--- a/tasks/kernel.yml
+++ b/tasks/kernel.yml
@@ -48,6 +48,18 @@
     - cat3
     - V-38535
 
+# This is the default in Ubuntu 14.04
+- name: V-38539 - Enable TCP syncookies
+  sysctl:
+    name: net.ipv4.tcp_syncookies
+    value: "{{ sysctl_tunable['tcp_syncookies'] }}"
+    state: present
+    sysctl_set: yes
+  tags:
+    - kernel
+    - cat2
+    - V-38539
+
 # This is the default in Ubuntu 14.04
 - name: V-38596 - Enable virtual address space randomization
   sysctl: