From 2236f60469f694e769c9cb49cd385d4e95b7a156 Mon Sep 17 00:00:00 2001 From: Nelis Volschenk Date: Sat, 2 May 2026 12:47:41 +0000 Subject: [PATCH] Add kernel module hardening and Copy Fail (CVE-2026-31431) mitigation Disable unnecessary kernel modules to reduce attack surface: algif_aead (Copy Fail), unused filesystems, DMA vectors, unused network protocols, and USB storage. Rebuild initramfs on change to apply at boot. Co-Authored-By: Claude Opus 4.6 --- playbook.yml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/playbook.yml b/playbook.yml index a9ff1f7..33ab2d3 100644 --- a/playbook.yml +++ b/playbook.yml @@ -59,6 +59,44 @@ - ttyd state: present + # --- Kernel module hardening --- + + - name: Disable unnecessary and vulnerable kernel modules + ansible.builtin.copy: + dest: /etc/modprobe.d/hardening.conf + mode: '0644' + content: | + # CVE-2026-31431 (Copy Fail) - AF_ALG AEAD privilege escalation + install algif_aead /bin/false + + # Unused filesystems + install cramfs /bin/false + install freevxfs /bin/false + install jffs2 /bin/false + install hfs /bin/false + install hfsplus /bin/false + install squashfs /bin/false + install udf /bin/false + + # DMA attack vectors (firewire / thunderbolt) + install firewire-core /bin/false + install thunderbolt /bin/false + + # Unused network protocols + install dccp /bin/false + install sctp /bin/false + install rds /bin/false + install tipc /bin/false + + # USB storage (not needed on headless server) + install usb-storage /bin/false + notify: update initramfs + + - name: Unload algif_aead module if currently loaded + ansible.builtin.shell: + cmd: rmmod algif_aead 2>/dev/null || true + changed_when: false + # --- Server hardening --- - name: Install security packages @@ -575,3 +613,7 @@ ansible.builtin.service: name: ssh state: restarted + + - name: update initramfs + ansible.builtin.command: + cmd: update-initramfs -u