Ansible Pilot

How to mitigate Polkit Privilege Escalation - PWNKIT (CVE-2021-4034) on RedHat-like systems - Ansible playbook mitigation

How to automate the mitigation of Polkit Privilege Escalation — PWNKIT (CVE-2021–4034) on RedHat-like systems using the Ansible Playbook 1.0 published on RHSB-2022–001. Line by line comment and live demo on vulnerable Red Hat Enterprise Linux 8.5.

What is Polkit Privilege Escalation - (CVE-2021–4034)?

demo

How to mitigrate Polkit Privilege Escalation - PWNKIT (CVE-2021–4034) on RedHat-like systems using the Ansible Playbook downloaded from RHSB-2022–001.

code

Code downloaded from Red Hat RHSB-2022-001 Ansible Playbook 1.0 .

execution

ansible-pilot $ ansible-playbook -i virtualmachines/demo/inventory -e "HOSTS=demo.example.com" cve-2021-4034/cve-2021-4034_stap_mitigate--2022-01-25-0936.yml
PLAY [Block pkexec with empty first argument with systemtap] **************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [Install systemtap packages] *****************************************************************
changed: [demo.example.com]
TASK [(RHEL 7) Install kernel debuginfo] **********************************************************
skipping: [demo.example.com]
TASK [(RHEL 6/8) Install polkit debuginfo] ********************************************************
changed: [demo.example.com]
TASK [(RHEL 6) Install libselinux-python] *********************************************************
skipping: [demo.example.com]
TASK [Create systemtap script] ********************************************************************
changed: [demo.example.com]
TASK [Checking if stap_pkexec_block module is already loaded] *************************************
ok: [demo.example.com]
TASK [Install systemtap script] *******************************************************************
changed: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com           : ok=6    changed=4    unreachable=0    failed=0    skipped=2    rescued=0    ignored=0
ansible-pilot $

before execution

ansible-pilot $ ssh [email protected]
Last login: Thu Jan 27 21:28:44 2022 from 192.168.0.102
[[email protected] ~]$ sudo su
[[email protected] devops]# cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="8.5 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.5"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.5 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.5
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.5"
[[email protected] devops]# lsmod | grep stap_pkexec_block
[[email protected] devops]# exit
exit
[[email protected] ~]$

after execution

ansible-pilot $ ssh [email protected]
Last login: Thu Jan 27 21:34:11 2022 from 192.168.0.102
[[email protected] ~]$ sudo su
[[email protected] devops]# lsmod | grep stap_pkexec_block
stap_pkexec_block     434176  0
[[email protected] devops]# ls -al /root/
total 32
dr-xr-x---.  4 root root 210 Jan 27 21:35 .
dr-xr-xr-x. 17 root root 224 Dec  3 15:29 ..
-rw-------.  1 root root 789 Jan 27 21:30 .bash_history
-rw-r--r--.  1 root root  18 Aug 12  2018 .bash_logout
-rw-r--r--.  1 root root 176 Aug 12  2018 .bash_profile
-rw-r--r--.  1 root root 176 Aug 12  2018 .bashrc
-rw-r--r--.  1 root root 100 Aug 12  2018 .cshrc
drwx------.  2 root root  44 Jan 24 16:09 .gnupg
drwxr-xr-x.  3 root root  19 Jan 27 21:34 .systemtap
-rw-r--r--.  1 root root 129 Aug 12  2018 .tcshrc
-rw-------.  1 root root 923 Jan 24 17:37 .viminfo
-rw-r--r--.  1 root root   0 Jan 27 21:35 pkexec-block.log.0
-rw-------.  1 root root  97 Jan 27 21:34 pkexec-block.stp
[[email protected] devops]# ls -al /root/pkexec-block.*
-rw-r--r--. 1 root root  0 Jan 27 21:35 /root/pkexec-block.log.0
-rw-------. 1 root root 97 Jan 27 21:34 /root/pkexec-block.stp
[[email protected] devops]#

Recap

Now you know how to mitigate the Polkit Privilege Escalation - PWNKIT (CVE-2021–4034) on RedHat-like systems using the Ansible Playbook 1.0 published on RHSB-2022–001.

Subscribe to the YouTube channel, Medium, Website and Twitter to not miss the next episode of the Ansible Pilot.

Academy

Learn the Ansible automation technology with some real-life examples in my

My book Ansible By Examples: 100+ Automation Examples For Linux and Windows System Administrator and DevOps

Want to keep this project going? Please donate

Trustpilot
Follow me

Subscribe not to miss any new releases

January 27, 2022

FREE Top 10 Best Practices

Top 10 Best Practices of Ansible Automation: save time, reduce errors and stress