
With the upcoming changes to rebase onto the RHEL 7 STIG controls, there needs to be a new solution for documentation that is easier to manage and filter. This patch automates the generation of the STIG control documentation in the following way: * A Sphinx extension runs early in the doc build process that writes all of the individual STIG control docs as well as ToC pages. * ToC pages are now sorted by severity, tag, and implementation status. * A giant listing of controls is easier to navigate now. * Docs are generated from metadata in the /doc/metadata directory. New documentation only needs to be added there. (Will explain this in the developer notes in a subsequent patch.) Implements: blueprint security-rhel7-stig Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
28 lines
1.0 KiB
ReStructuredText
28 lines
1.0 KiB
ReStructuredText
---
|
|
id: V-38539
|
|
status: implemented
|
|
tag: misc
|
|
---
|
|
|
|
The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods.
|
|
|
|
Note that high-traffic environments may require TCP SYN cookies to be disabled.
|
|
Certain load balancers may forward requests in such a way that web servers may
|
|
think they're being SYN flooded during peak traffic events. Putting well-
|
|
configured hardware network devices in front of OpenStack environments is
|
|
always recommended and this may allow some deployers to turn off SYN cookies
|
|
within their environment.
|
|
|
|
Deployers can disable TCP SYN cookies by setting an Ansible variable:
|
|
|
|
.. code-block:: yaml
|
|
|
|
security_sysctl_enable_tcp_syncookies: no
|
|
|
|
Most operating systems, such as Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 have
|
|
TCP syncookies enabled by default upon installation. For more information on
|
|
TCP SYN cookies and TCP SYN floods, refer to these links:
|
|
|
|
* `Wikipedia: SYN flood <https://en.wikipedia.org/wiki/SYN_flood>`_
|
|
* `Wikipedia: SYN cookies <https://en.wikipedia.org/wiki/SYN_cookies>`_
|