# Blacklist affected kernel modules to mitigate CVE-2019-14835
#
# Playbook Ver. 1.0
#
# This playbook will blacklist the vhost_net kernel module and reboot the system
# to mitigate CVE-2019-14835. Please note that this may have an impact on guest system
# networking.
#
# For more information, see the vulnerability article:
# https://access.redhat.com/security/vulnerabilities/kernel-vhost
#
# To use this playbook, define the HOSTS variable with the hosts you'd like to modify:
# ansible-playbook -e HOSTS=vm01,vm02 CVE-2019-14835_blacklist_mitigate.yml
- name: Blacklist vhost_net kernel module to mitigate CVE-2019-14835
  hosts: "{{HOSTS}}"
  become: true

  tasks:
    - name: Blacklist vhost_net via kernel command line
      command: grubby --update-kernel=ALL --args="modprobe.blacklist=vhost_net"
      check_mode: false

    - name: Fake-install /bin/true to prevent dependent modules from loading vhost_net
      lineinfile:
        state: present
        create: yes
        line: install vhost_net /bin/true
        mode: 0644
        owner: root
        group: root
        path: /etc/modprobe.d/cve_2019_14835_blacklist.conf

    - name: Reboot the system to apply module blacklist
      shell: sleep 2 && shutdown -r now "Ansible triggered reboot"
      async: 1
      poll: 0
      ignore_errors: true
      check_mode: false