Blacklist modules via ansible

[sempervictus]

might be a bit easier for readers to use as an ansible play than a shell-script until they can patch

[jine]

EDIT: This PR has been updated with appropriate fix (including installing modules as /bin/false).
Removed my old warning.

[sempervictus]

Fair, happy to expand though this is specifically geared at preventing auto load given upstream approach to that whole mess. Will expand to the manual conditions after off current call

[jine]

Sorry, don't want to ruin your weekend - but it's vital for this kind of exploits - as there's multiple ways of loading modules without actually modprobing them, for example just use a module that depends on esp4 and your good to go.

There is another ansible playbook in the issues somewhere you can use as template.

[sempervictus]

@jine all set, can turn down the temperature and stow the all-caps tenor - appreciate the passion, not the tone.

None of this helps for killchains using other ways to get that valid kernel code into the running kernel (inode confusion, memory mapping, possibly syscall-direct loader shims, etc) or ROPing code built-into RHEL kernels and such at compile-time. Hence the workaround branch name suffix of the PR source - this isn't a fix, the actual kernel patch is the remedy while this merely makes it somewhat harder for locally positioned actors to load the pre-reqs for the killchain into place.

For completeness' sake - to have coverage for the concerns listed above, Grsecurity/PaX has coverage for ROP, type/path confusion, direct memory access, and other vectors by which logically vulnerable code (thus not covered by semantic/mechanical vulnerability remedies in the compilation pipeline or runtime binary defenses) can be "side-loaded" into the kernel and subsequently exploited. MODHARDEN already automatically effects what's being done in this workaround but with better coverage and preemptively.

[jine]

I'm sorry for the temperature / tone - my concern was that someone finds your PR on this repo (currently: one of three) and thinks it's a quick and valid mitigation using ansible -> deploys it to an entire cluster and thinks it's fine. At first glance it might look with, without loading the esp-modules or similar some other way - the one-liner might not even work anymore. Thinks it's OK and takes the weekend off... Meanwhile someone sees the hastately blacklisted modules and tries to bypass it.

I'm sorry, but i wanted to highlight the message, not blame you what so ever or have tone against you - I'm glad you've updated the PR now, so more people can find it and have a valid mitigation for it.

Have a super beautiful weekend and thanks for your commitment in keeping the internet a secure place! :)