Major Hayden e57593dfd4 Automate the STIG documentation
With the upcoming changes to rebase onto the RHEL 7 STIG controls,
there needs to be a new solution for documentation that is easier
to manage and filter. This patch automates the generation of the STIG
control documentation in the following way:

* A Sphinx extension runs early in the doc build process that writes
  all of the individual STIG control docs as well as ToC pages.
* ToC pages are now sorted by severity, tag, and implementation status.
* A giant listing of controls is easier to navigate now.
* Docs are generated from metadata in the /doc/metadata directory. New
  documentation only needs to be added there. (Will explain this in
  the developer notes in a subsequent patch.)

Implements: blueprint security-rhel7-stig
Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
2016-09-09 14:43:30 +00:00

28 lines
1.0 KiB
ReStructuredText

---
id: V-38539
status: implemented
tag: misc
---
The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods.
Note that high-traffic environments may require TCP SYN cookies to be disabled.
Certain load balancers may forward requests in such a way that web servers may
think they're being SYN flooded during peak traffic events. Putting well-
configured hardware network devices in front of OpenStack environments is
always recommended and this may allow some deployers to turn off SYN cookies
within their environment.
Deployers can disable TCP SYN cookies by setting an Ansible variable:
.. code-block:: yaml
security_sysctl_enable_tcp_syncookies: no
Most operating systems, such as Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 have
TCP syncookies enabled by default upon installation. For more information on
TCP SYN cookies and TCP SYN floods, refer to these links:
* `Wikipedia: SYN flood <https://en.wikipedia.org/wiki/SYN_flood>`_
* `Wikipedia: SYN cookies <https://en.wikipedia.org/wiki/SYN_cookies>`_