BirkhoffLee · January 27, 2022 04:08 · BirkhoffLee · Jan 27, 2022
diff --git a/pkexec_block.stp b/pkexec_block.stp
 probe process("/usr/bin/pkexec").function("main")  {
        if (cmdline_arg(1) == "")
                raise(9);
 }
diff --git a/playbook.yml b/playbook.yml
 ---
 - hosts:
  - all
  become: yes

  tasks:
    - name: Check Linux distro
      fail:
        msg: This playbook only supports CentOS
      when: ansible_distribution != "CentOS"

    - name: Check if mitigations have already been successfully deployed
      command: lsmod
      register: lsmod
      changed_when: 0

    - when: "'stap_pkexec_block' not in lsmod.stdout"
      block:
      - name: Gather kernel version
        command: uname -r
        register: uname
        changed_when: 0

      - name: Enable debuginfo repo
        ini_file:
          dest: /etc/yum.repos.d/CentOS-Linux-Debuginfo.repo
          section: debuginfo
          option: enabled
          value: 1

      - name: Install CentOS kernel devel package
        yum:
          state: present
          enablerepo: base-debuginfo
          name:
            - "kernel-devel-{{ uname.stdout }}"
            - "kernel-debuginfo-{{ uname.stdout }}"

      - name: Install SystemTap
        yum:
          state: present
          name:
            - systemtap
            - systemtap-runtime
            - polkit-debuginfo

      - name: Create systemtap script pkexec-block.stp
        copy:
          src: pkexec_block.stp
          dest: /tmp/pkexec_block.stp

      - name: Load the systemtap module into the running kernel
        command: stap -g -F -m stap_pkexec_block pkexec_block.stp
        args:
          chdir: /tmp

      - name: Check if mitigation was successfully deployed
        command: lsmod
        register: lsmod2
        failed_when: "'stap_pkexec_block' not in lsmod2.stdout"
        changed_when: 0
	probe process("/usr/bin/pkexec").function("main") {
	if (cmdline_arg(1) == "")
	raise(9);
	}
	---
	- hosts:
	- all
	become: yes

	tasks:
	- name: Check Linux distro
	fail:
	msg: This playbook only supports CentOS
	when: ansible_distribution != "CentOS"

	- name: Check if mitigations have already been successfully deployed
	command: lsmod
	register: lsmod
	changed_when: 0

	- when: "'stap_pkexec_block' not in lsmod.stdout"
	block:
	- name: Gather kernel version
	command: uname -r
	register: uname
	changed_when: 0

	- name: Enable debuginfo repo
	ini_file:
	dest: /etc/yum.repos.d/CentOS-Linux-Debuginfo.repo
	section: debuginfo
	option: enabled
	value: 1

	- name: Install CentOS kernel devel package
	yum:
	state: present
	enablerepo: base-debuginfo
	name:
	- "kernel-devel-{{ uname.stdout }}"
	- "kernel-debuginfo-{{ uname.stdout }}"

	- name: Install SystemTap
	yum:
	state: present
	name:
	- systemtap
	- systemtap-runtime
	- polkit-debuginfo

	- name: Create systemtap script pkexec-block.stp
	copy:
	src: pkexec_block.stp
	dest: /tmp/pkexec_block.stp

	- name: Load the systemtap module into the running kernel
	command: stap -g -F -m stap_pkexec_block pkexec_block.stp
	args:
	chdir: /tmp

	- name: Check if mitigation was successfully deployed
	command: lsmod
	register: lsmod2
	failed_when: "'stap_pkexec_block' not in lsmod2.stdout"
	changed_when: 0