# CVE-2021-3156 Mitigation Playbook v.1.0 # Copyright (c) 2021 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # Warning! Be sure to download the latest version of this script from its primary source: # https://access.redhat.com/security/vulnerabilities/RHSB-2021-002 # This playbook will install systemtap utilities and create a systemap script to prevent # sudo from being executed as sudoedit. The script will need to be installed each time # the system is booted to be effective. You can use this playbook to install the script # after booting. # To use this playbook, set the HOSTS extra var with the name of the hosts or group # you wish to modify: # ansible-playbook -e HOSTS=web,mail,ns1 CVE-2021-3156_stap_mitigate.yml # # To verify that the script is installed, issue the command `lsmod` and look for # `sudoedit_block` in the list of loaded modules. # # To remove the script after a fixed package has been installed, find the process ID of # systemtap with pgrep or ps, for example: # # [root@host ~]# ps $(pgrep stap) # 23344 # # Then, kill the systemtap process with the SIGTERM signal: # # [root@host ~]# kill -s SIGTERM 23344 # # Alternatively, you can reboot the system. When no longer needed, # /root/sudoedit-block.stap and /root/sudoedit-block.log can be removed. - name: Block sudoedit with systemtap hosts: "{{HOSTS}}" become: true tasks: - name: Install systemtap packages yum: name: - systemtap - yum-utils - kernel-devel-{{ ansible_kernel }} - when: ansible_distribution_major_version == '7' name: (RHEL 7) Install kernel debuginfo command: debuginfo-install -y kernel-{{ ansible_kernel }} - when: (ansible_distribution_major_version == '6' or ansible_distribution_major_version == '8') name: (RHEL 6/8) Install sudo debuginfo command: debuginfo-install -y sudo - when: ansible_distribution_major_version == '6' name: (RHEL 6) Install libselinux-python yum: name: - libselinux-python - name: Create systemtap script copy: dest: /root/sudoedit-block.stap owner: root group: root mode: '0600' force: no content: | probe process("/usr/bin/sudo").function("main") { command = cmdline_args(0,0,""); if (isinstr(command, "edit")) { raise(9); } } - name: Checking if sudoedit_block module is already loaded command: grep -Fq sudoedit_block /proc/modules register: loaded_module changed_when: loaded_module.rc == 1 # report as changed if not loaded failed_when: loaded_module.rc == 2 check_mode: no - when: loaded_module.rc == 1 name: Install systemtap script shell: stap -F -o /root/sudoedit-block.log -S 1 -m sudoedit_block -g /root/sudoedit-block.stap