Use systemtap with script to mitigate CVE-2016-5195 (for CentOS vX.X)

cve-2016-5195_mitigation.sh

#!/bin/sh

###################################
# CVE-2016-5195 Mitigation Script #
###################################
#LINUX_ARCH = $(uname -m)
#KERNEL_VER = $(uname -r)
#NOTE: RUN AS ROOT, MUST BE CONNTECTED TO INTERNET

echo "Removing unused kernel-devel..."
yum remove -y kernel-devel

echo "Enabling debuginfo repo..."
if [ ! -f /etc/yum.repos.d/CentOS-Debuginfo.repo]; then
	printf "name=CentOS-\$releasever - DebugInfo\nbaseurl=http://debuginfo.centos.org/\$releasever/\$basearch/\ngpgcheck=1\nenabled=1\ngpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-\$releasever\nprotect=1\npriority=1" > /etc/yum.repos.d/CentOS-Debuginfo.repo
else
	sed -i "s/enabled=0/enabled=1/g" /etc/yum.repos.d/CentOS-Debuginfo.repo
fi

echo "Installing Neccessary packages..."
yum install -y kernel-devel-$(uname -r) kernel-debuginfo-$(uname -r) kernel-debuginfo-common-$(uname -m)-$(uname -r) systemtap systemtap-runtime systemtap-devel systemtap-client mokutil

echo "Making Script..."
cd ~/
mkdir cve_script
cd cve_script
printf "probe kernel.function(\"mem_write\").call ? {\n\t\$count = 0\n}\nprobe syscall.ptrace {  // includes compat ptrace as well\n\t\$request = 0xfff\n}\nprobe begin {\n\tprintk(0, \"CVE-2016-5195 mitigation loaded\")\n}\nprobe end {\n\tprintk(0, \"CVE-2016-5195 mitigation unloaded\")\n}" > cve_2016_5195.stp

echo "Executing script..."
exec stap -g cve_2016_5195.stp &