devopscatsDirty Frag: Universal Linux LPE
1 ---
2 - name: Mitigate dirtyfrag modules
3 hosts: all
4 become: yes
5
6 tasks:
7 - name: Ensure modprobe config file has required entries
8 copy:
9 dest: /etc/modprobe.d/dirtyfrag.conf
10 content: |
11 install esp4 /bin/false
12 install esp6 /bin/false
13 install rxrpc /bin/false
14 owner: root
15 group: root
16 mode: '0644'
17
18 - name: Remove esp4 module if loaded
19 modprobe:
20 name: esp4
21 state: absent
22 ignore_errors: yes
23
24 - name: Remove esp6 module if loaded
25 modprobe:
26 name: esp6
27 state: absent
28 ignore_errors: yes
29
30 - name: Remove rxrpc module if loaded
31 modprobe:
32 name: rxrpc
33 state: absent
34 ignore_errors: yes
2 - name: Mitigate dirtyfrag modules
3 hosts: all
4 become: yes
5
6 tasks:
7 - name: Ensure modprobe config file has required entries
8 copy:
9 dest: /etc/modprobe.d/dirtyfrag.conf
10 content: |
11 install esp4 /bin/false
12 install esp6 /bin/false
13 install rxrpc /bin/false
14 owner: root
15 group: root
16 mode: '0644'
17
18 - name: Remove esp4 module if loaded
19 modprobe:
20 name: esp4
21 state: absent
22 ignore_errors: yes
23
24 - name: Remove esp6 module if loaded
25 modprobe:
26 name: esp6
27 state: absent
28 ignore_errors: yes
29
30 - name: Remove rxrpc module if loaded
31 modprobe:
32 name: rxrpc
33 state: absent
34 ignore_errors: yes
Marcel Waldvogel@devopscats
Do not apply on hosts which need IPsec.
Workarounds:
1️⃣ Try to migrate away from #IPsec to #Wireguard (quite some work per setup)
2️⃣ Use #SELinux to limit what "normal" processes can do with the modules (even more work, but probably only needs to be done once)
3️⃣ If none of this works, secure and minitor these machines, especially preventing untrusted users or code