{"description": "Normal TCP/IP networking is open to an attack known as SYN flooding.\nIt is denial-of-service attack that prevents legitimate remote users from being able to connect\nto your computer during an ongoing attack.\n\nWhen enabled the TCP/IP stack will use a cryptographic challenge protocol known as SYN cookies\nto enable legitimate users to continue to connect, even when your machine is under attack.\n\nThe configuration that was used to build kernel is available at /boot/config-*.\n To check the configuration value for CONFIG_SYN_COOKIES, run the following command:\n grep CONFIG_SYN_COOKIES /boot/config-*\n \n For each kernel installed, a line with value \"y\" should be returned.\n ", "rationale": "SYN cookies provide protection against SYN flooding attacks.", "severity": "medium", "references": {"anssi": ["R22"]}, "control_references": {"anssi": ["R22"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel was not built with the required value", "ocil": "To determine the config value the kernel was built with, run the following command:\n $ grep CONFIG_SYN_COOKIES /boot/config.*
\n \n For each kernel installed, a line with value \"y\" should be returned.\n ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable TCP/IP syncookie support", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/kernel_build_config/kernel_config_syn_cookies/rule.yml", "template": {"name": "kernel_build_config", "vars": {"config": "CONFIG_SYN_COOKIES", "value": "y"}, "backends": {}}}