Created
May 8, 2026 13:45
-
-
Save m3nu/d85533bbf342edd3a9426711409a1b9a to your computer and use it in GitHub Desktop.
Ansible playbook for Dirty Frag mitigation (CVE-2026-43284 and CVE-2026-43500)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Mitigation for Dirty Frag - ESP/RxRPC kernel write primitive | |
| # https://github.com/V4bel/dirtyfrag | |
| # | |
| # Apply to one host first, for example: | |
| # ansible-playbook -l host.example.com playbooks/dirtyfrag.yml | |
| --- | |
| - hosts: all | |
| gather_facts: true | |
| become: yes | |
| serial: 1 | |
| vars: | |
| dirtyfrag_modules: | |
| - esp4 | |
| - esp6 | |
| - rxrpc | |
| dirtyfrag_drop_caches: true | |
| tasks: | |
| - name: Install Dirty Frag module blocklist | |
| ansible.builtin.copy: | |
| dest: /etc/modprobe.d/dirtyfrag.conf | |
| owner: root | |
| group: root | |
| mode: '0644' | |
| content: | | |
| # Dirty Frag mitigation. Prevent ESP/RxRPC modules from being loaded. | |
| {% for module in dirtyfrag_modules %} | |
| install {{ module }} /bin/false | |
| blacklist {{ module }} | |
| {% endfor %} | |
| register: dirtyfrag_modprobe_conf | |
| - name: Unload Dirty Frag modules if currently loaded | |
| ansible.builtin.command: | |
| cmd: rmmod {{ item }} | |
| loop: "{{ dirtyfrag_modules }}" | |
| register: dirtyfrag_rmmod | |
| failed_when: | |
| - dirtyfrag_rmmod.rc != 0 | |
| - "'not currently loaded' not in (dirtyfrag_rmmod.stderr | default(''))" | |
| - "'is not currently loaded' not in (dirtyfrag_rmmod.stderr | default(''))" | |
| - "'No such file or directory' not in (dirtyfrag_rmmod.stderr | default(''))" | |
| changed_when: dirtyfrag_rmmod.rc == 0 | |
| when: not ansible_check_mode | |
| - name: Verify Dirty Frag modules resolve to /bin/false | |
| ansible.builtin.command: | |
| cmd: modprobe -n -v {{ item }} | |
| loop: "{{ dirtyfrag_modules }}" | |
| register: dirtyfrag_modprobe_check | |
| changed_when: false | |
| failed_when: >- | |
| dirtyfrag_modprobe_check.rc != 0 | |
| or '/bin/false' not in | |
| ( | |
| (dirtyfrag_modprobe_check.stdout | default('')) | |
| + (dirtyfrag_modprobe_check.stderr | default('')) | |
| ) | |
| when: not ansible_check_mode | |
| - name: Check loaded modules | |
| ansible.builtin.command: | |
| cmd: lsmod | |
| register: dirtyfrag_lsmod | |
| changed_when: false | |
| when: not ansible_check_mode | |
| - name: Verify Dirty Frag modules are not loaded | |
| ansible.builtin.assert: | |
| that: | |
| - dirtyfrag_lsmod.stdout is not regex('(?m)^(' ~ (dirtyfrag_modules | join('|')) ~ ')\\s') | |
| fail_msg: "A Dirty Frag module is still loaded: {{ dirtyfrag_modules | join(', ') }}" | |
| when: not ansible_check_mode | |
| - name: Drop page cache after Dirty Frag mitigation | |
| ansible.builtin.shell: | |
| cmd: sync && echo 3 > /proc/sys/vm/drop_caches | |
| changed_when: true | |
| when: | |
| - dirtyfrag_drop_caches | bool | |
| - not ansible_check_mode |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment