AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Mitigate CVE-2021-4034 on RHEL with Ansible Playbook — Video Tutorial

HUse Ansible to mitigate CVE-2021-4034 on RHEL systems. Automate the installation of SystemTap, debugging packages, and deploy mitigation scripts.

Watch on YouTube · Read the written article

Tutorial summary

What you'll learn

  • What is Polkit Privilege Escalation - (CVE-2021–4034)?
  • Links
  • code
  • execution
  • before execution
  • after execution
  • Conclusion
  • Related Articles
  • About PwnKit (CVE-2021-4034)
  • Quick Check: Is Your System Vulnerable?
What is Polkit Privilege Escalation - (CVE-2021–4034)? - "A memory corruption vulnerability in Polkit's pkexec, witch allows any unprivileged user to gain full root privilege on a vulnerable system using default polkit configuration" cit. Bharat Jogi, qualys.com {{< vimeo 669715589 >}} Links - [In deth analysis from Bharat Jogi, qualys.com](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034) - [Red Hat CVE-2021-4034](https://access.redhat.com/security/cve/CVE-2021-4034) - [Red Hat RHSB-2022-001 Ansible Playbook 1.0](https://access.redhat.com/security/vulnerabilities/RHSB-2022-001#ansible-playbook) ## Playbook How to mitigrate Polkit Privilege Escalation - PWNKIT (CVE-2021–4034) on RedHat-like systems using the Ansible Playbook downloaded from RHSB-2022–001. code Code downloaded from [Red Hat RHSB-2022-001 Ansible Playbook 1.0](https://access.redhat.com/security/vulnerabilities/RHSB-2022-001#ansible-playbook) . execution ```bash ansible-pilot $ ansible-playbook -i virtualmachines/demo/inventory -e "HOSTS=demo.example.com" cve-2021-4034/cve-2021-4034_stap_mitigate--2022-01-25-0936.yml PLAY [Block pkexec with empty first argument with systemtap] ************************************** TASK [Gathering Facts] **************************************************************************** ok: [demo.example.com] TASK [Install systemtap packages] ***************************************************************** changed: [demo.example.com] TASK [(RHEL 7) Install kernel debuginfo] ********************************************************** skipping: [demo.example.com] TASK [(RHEL 6/8) Install polkit debuginfo] ******************************************************** changed: [demo.example.com] TASK [(RHEL 6) Install libselinux-python] ********************************************************* skipping: [demo.example.com] TASK [Create systemtap script] ******************************************************************** changed: [demo.example.com] TASK [Checking if stap_pkexec_block module is already loaded] ************************************* ok: [demo.example.com] TASK [Install systemtap script] ******************************************************************* changed: [demo.example.com] PLAY RECAP **************************************************************************************** demo.example.com : ok=6 changed=4 unreachable=0 failed=0 skipped=2 rescued=0 ignored=0 ansible-pilot $ ``` before execution ```bash ansible-pilot $ ssh devops@demo.example.com Last login: Thu Jan 27 21:28:44 2022 from 192.168.0.102 [devops@demo ~]$ sudo su [root@demo devops]# cat /etc/os-release NAME="Red Hat Enterprise Linux" VERSION="8.5 (Ootpa)" ID="rhel" ID_LIKE="fedora" VERSION_ID="8.5" PLATFORM_ID="platform:el8" PRETTY_NAME="Red Hat Enterprise Linux 8.5 (Ootpa)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linu

About this tutorial

  • Author: Luca Berton
  • Difficulty: Beginner
  • Read time: 4 min
  • Category: installation

Topics covered

Related video tutorials