e57593dfd4
With the upcoming changes to rebase onto the RHEL 7 STIG controls, there needs to be a new solution for documentation that is easier to manage and filter. This patch automates the generation of the STIG control documentation in the following way: * A Sphinx extension runs early in the doc build process that writes all of the individual STIG control docs as well as ToC pages. * ToC pages are now sorted by severity, tag, and implementation status. * A giant listing of controls is easier to navigate now. * Docs are generated from metadata in the /doc/metadata directory. New documentation only needs to be added there. (Will explain this in the developer notes in a subsequent patch.) Implements: blueprint security-rhel7-stig Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
1.0 KiB
---id: V-38539 status: implemented tag: misc ---
The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods.
Note that high-traffic environments may require TCP SYN cookies to be disabled. Certain load balancers may forward requests in such a way that web servers may think they're being SYN flooded during peak traffic events. Putting well-configured hardware network devices in front of OpenStack environments is always recommended and this may allow some deployers to turn off SYN cookies within their environment.
Deployers can disable TCP SYN cookies by setting an Ansible variable:
security_sysctl_enable_tcp_syncookies: noMost operating systems, such as Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 have TCP syncookies enabled by default upon installation. For more information on TCP SYN cookies and TCP SYN floods, refer to these links: