Ansible Pilot

How to mitigate Polkit Privilege Escalation - PWNKIT (CVE-2021-4034) on RedHat-like systems - Ansible playbook mitigation

How to automate the mitigation of Polkit Privilege Escalation — PWNKIT (CVE-2021–4034) on RedHat-like systems using the Ansible Playbook 1.0 published on RHSB-2022–001. Line by line comment and live demo on vulnerable Red Hat Enterprise Linux 8.5.

January 27, 2022
Access the Complete Video Course and Learn Quick Ansible by 200+ Practical Lessons

What is Polkit Privilege Escalation - (CVE-2021–4034)?

The Best Resources For Ansible

Video Course

Books

demo

How to mitigrate Polkit Privilege Escalation - PWNKIT (CVE-2021–4034) on RedHat-like systems using the Ansible Playbook downloaded from RHSB-2022–001.

code

Code downloaded from Red Hat RHSB-2022-001 Ansible Playbook 1.0 .

execution

ansible-pilot $ ansible-playbook -i virtualmachines/demo/inventory -e "HOSTS=demo.example.com" cve-2021-4034/cve-2021-4034_stap_mitigate--2022-01-25-0936.yml
PLAY [Block pkexec with empty first argument with systemtap] **************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [Install systemtap packages] *****************************************************************
changed: [demo.example.com]
TASK [(RHEL 7) Install kernel debuginfo] **********************************************************
skipping: [demo.example.com]
TASK [(RHEL 6/8) Install polkit debuginfo] ********************************************************
changed: [demo.example.com]
TASK [(RHEL 6) Install libselinux-python] *********************************************************
skipping: [demo.example.com]
TASK [Create systemtap script] ********************************************************************
changed: [demo.example.com]
TASK [Checking if stap_pkexec_block module is already loaded] *************************************
ok: [demo.example.com]
TASK [Install systemtap script] *******************************************************************
changed: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com           : ok=6    changed=4    unreachable=0    failed=0    skipped=2    rescued=0    ignored=0
ansible-pilot $

before execution

ansible-pilot $ ssh [email protected]
Last login: Thu Jan 27 21:28:44 2022 from 192.168.0.102
[[email protected] ~]$ sudo su
[[email protected] devops]# cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="8.5 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.5"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.5 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.5
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.5"
[[email protected] devops]# lsmod | grep stap_pkexec_block
[[email protected] devops]# exit
exit
[[email protected] ~]$

after execution

ansible-pilot $ ssh [email protected]
Last login: Thu Jan 27 21:34:11 2022 from 192.168.0.102
[[email protected] ~]$ sudo su
[[email protected] devops]# lsmod | grep stap_pkexec_block
stap_pkexec_block     434176  0
[[email protected] devops]# ls -al /root/
total 32
dr-xr-x---.  4 root root 210 Jan 27 21:35 .
dr-xr-xr-x. 17 root root 224 Dec  3 15:29 ..
-rw-------.  1 root root 789 Jan 27 21:30 .bash_history
-rw-r--r--.  1 root root  18 Aug 12  2018 .bash_logout
-rw-r--r--.  1 root root 176 Aug 12  2018 .bash_profile
-rw-r--r--.  1 root root 176 Aug 12  2018 .bashrc
-rw-r--r--.  1 root root 100 Aug 12  2018 .cshrc
drwx------.  2 root root  44 Jan 24 16:09 .gnupg
drwxr-xr-x.  3 root root  19 Jan 27 21:34 .systemtap
-rw-r--r--.  1 root root 129 Aug 12  2018 .tcshrc
-rw-------.  1 root root 923 Jan 24 17:37 .viminfo
-rw-r--r--.  1 root root   0 Jan 27 21:35 pkexec-block.log.0
-rw-------.  1 root root  97 Jan 27 21:34 pkexec-block.stp
[[email protected] devops]# ls -al /root/pkexec-block.*
-rw-r--r--. 1 root root  0 Jan 27 21:35 /root/pkexec-block.log.0
-rw-------. 1 root root 97 Jan 27 21:34 /root/pkexec-block.stp
[[email protected] devops]#

Recap

Now you know how to mitigate the Polkit Privilege Escalation - PWNKIT (CVE-2021–4034) on RedHat-like systems using the Ansible Playbook 1.0 published on RHSB-2022–001.

Subscribe to the YouTube channel, Medium, Website, Twitter, and Substack to not miss the next episode of the Ansible Pilot.

Academy

Learn the Ansible automation technology with some real-life examples in my

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

BUY the Complete PDF BOOK to easily Copy and Paste the 200+ Ansible code

Want to keep this project going? Please donate

Access the Complete Video Course and Learn Quick Ansible by 200+ Practical Lessons
Trustpilot
Follow me

Subscribe not to miss any new releases

FREE Top 10 Best Practices

Top 10 Best Practices of Ansible Automation: save time, reduce errors and stress