tcp Timestamp comment is wrong, value can also be improved in some cases.

[PopiBrossard]

Dear maintainer, Is your feature request related to a problem? Please describe. The sysctl option net.ipv4.tcp_timestamps comment is false, and parameter value can be improved.

Describe the solution you'd like

Kernel newer to 4.10 can use a random offset to initialize TCP timestamp. This enable PAWS (setting to 0 Disable PAWS, instead of what comment says), and the random offset increases the difficulty to guess the right uptime.

I think a test on kernel version to decide which value to use is the best thing to do.

Describe alternatives you've considered At least, the comment should be changed, because this setting is Disabling PAWS. Or user should be able to define value of tcp_timestamps.

Additional context TCP manpage says:

       tcp_timestamps (integer; default: 1; since Linux 2.2)
              Set to one of the following values to enable or disable RFC 1323 TCP timestamps:

              0  Disable timestamps.

              1  Enable timestamps as defined in RFC1323 and use random offset for each connection rather than only using the current time.

              2  As for the value 1, but without random offsets.  Setting tcp_timestamps to this value is meaningful since Linux 4.10

since kernel 2.2 tcp_timestamp exist, but random offset isn't since kernel 2.2 !

Kernel sysctl doc: https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

Kernel commit: https://github.com/torvalds/linux/commit/95a22caee396cef0bb2ca8fafdd82966a49367bb

Thanks.

[rndmh3ro]

Same issue here in our Ansible collection: https://github.com/dev-sec/ansible-collection-hardening/issues/360

We should fix this.