#
# TCP SACK PANIC Mitigation Playbook v1.0
#
# To completely address TCP SACK PANIC vulnerabilities, you will need to update your kernel.
# However, if you are unable to reboot your system into a new kernel immediately, disabling
# selective acknowledgments for the running system will reduce the system's attack surface
# for this issue.
#
# This playbook will disable selective acknowledgments system wide for all newly
# established TCP connections for the running system, create a file
# /etc/sysctl.d/99-tcpsack.conf to disable selective acknowledgmentsat boot time.
# The playbook will not reboot the system. A reboot is not necessary for mitigation.
#
# To verify the state of your system after rebooting, you can inspect the file
# located at /proc/sys/net/ipv4/tcp_sack, or you can run the detection script
# available on the "Diagnose" tab of the vulnerability article.
#
# To use this playbook, specify the host group or individual hostnames with the "HOSTS"
# extra var:
#
#   ansible-playbook -e HOSTS=web,mail,ldap04 disable_tcpsack_mitigate.yml
#
# See https://access.redhat.com/security/vulnerabilities/tcpsack for more information.
#
- name: Disable selective acknowledgments for the running system
  hosts: "{{HOSTS}}"
  become: true

  tasks:
    - name: Set net.ipv4.tpc_sack to 0
      sysctl:
        name: net.ipv4.tcp_sack 
        value: '0'
        sysctl_set: yes
        state: present
        reload: yes
        sysctl_file: /etc/sysctl.d/99-tcpsack.conf