--- - name: Reboot after panic sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: present reload: yes with_items: - { name: kernel.panic_on_oops, value: 1 } - { name: kernel.panic, value: 60 } when: evolinux_kernel_reboot_after_panic - name: Don't reboot after panic sysctl: name: "{{ item }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: absent reload: yes with_items: - kernel.panic_on_oops - kernel.panic when: not evolinux_kernel_reboot_after_panic - name: Disable net.ipv4.tcp_timestamps sysctl: name: net.ipv4.tcp_timestamps value: 0 sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: present reload: yes when: evolinux_kernel_disable_tcp_timestamps - name: Reduce the swapiness sysctl: name: vm.swappiness value: 20 sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: present reload: yes when: evolinux_kernel_reduce_swapiness - name: Patch for TCP stack vulnerability CVE-2016-5696 sysctl: name: net.ipv4.tcp_challenge_ack_limit value: 1073741823 sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: present reload: yes when: evolinux_kernel_cve20165696 - name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack) sysctl: name: net.ipv4.ipfrag_low_thresh value: 196608 sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: present reload: yes - name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack) sysctl: name: net.ipv6.ip6frag_low_thresh value: 196608 sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: present reload: yes - name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack) sysctl: name: net.ipv4.ipfrag_high_thresh value: 262144 sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: present reload: yes - name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack) sysctl: name: net.ipv6.ip6frag_high_thresh value: 262144 sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: present reload: yes - meta: flush_handlers