Mitigate CVE-2021-4034 on CentOS 8 with Ansible

pkexec_block.stp

probe process("/usr/bin/pkexec").function("main")  {
        if (cmdline_arg(1) == "")
                raise(9);
}

playbook.yml

---
- hosts:
  - all
  become: yes

  tasks:
    - name: Check Linux distro
      fail:
        msg: This playbook only supports CentOS
      when: ansible_distribution != "CentOS"

    - name: Check if mitigations have already been successfully deployed
      command: lsmod
      register: lsmod
      changed_when: 0

    - when: "'stap_pkexec_block' not in lsmod.stdout"
      block:
      - name: Gather kernel version
        command: uname -r
        register: uname
        changed_when: 0

      - name: Enable debuginfo repo
        ini_file:
          dest: /etc/yum.repos.d/CentOS-Linux-Debuginfo.repo
          section: debuginfo
          option: enabled
          value: 1

      - name: Install CentOS kernel devel package
        yum:
          state: present
          enablerepo: base-debuginfo
          name:
            - "kernel-devel-{{ uname.stdout }}"
            - "kernel-debuginfo-{{ uname.stdout }}"

      - name: Install SystemTap
        yum:
          state: present
          name:
            - systemtap
            - systemtap-runtime
            - polkit-debuginfo

      - name: Create systemtap script pkexec-block.stp
        copy:
          src: pkexec_block.stp
          dest: /tmp/pkexec_block.stp

      - name: Load the systemtap module into the running kernel
        command: stap -g -F -m stap_pkexec_block pkexec_block.stp
        args:
          chdir: /tmp

      - name: Check if mitigation was successfully deployed
        command: lsmod
        register: lsmod2
        failed_when: "'stap_pkexec_block' not in lsmod2.stdout"
        changed_when: 0

Few things to note:

• The kernel-devel takes around 3GiB disk space.
• kernel-devel can be unavailable for your kernel version.
• This mitigation lasts until the server is rebooted.
• Update polkit as soon as an update is possible.