-
-
Save jrgifford/942e046233c5016032541df42b6eaec5 to your computer and use it in GitHub Desktop.
CVE-2016-2108 SSL Ansible check and correct play for Ubuntu
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # Patches openssl problem and restarts needed services | |
| - name: Apply common configration to all nodes | |
| hosts: all | |
| sudo: yes | |
| # Uncomment to apply update one server at a time | |
| # serial: 1 | |
| tasks: | |
| - name: "Install packages and update cache" | |
| apt: pkg="{{ item }}" state=latest update_cache=yes | |
| with_items: | |
| - libssl1.0.0 | |
| - openssl | |
| - debian-goodies | |
| - name: "Restart Services known to be affected" | |
| service: name={{ item }} state=restarted | |
| with_items: | |
| - ssh | |
| - nginx | |
| - whoopsie | |
| - snmpd | |
| - ntp | |
| - supervisor | |
| - postfix | |
| - apache | |
| - shibd | |
| ignore_errors: yes | |
| - name: "Check that we are safe" | |
| shell: > | |
| if [ "$(openssl version -a | grep built)" != "built on: Mon May 2 16:53:18 UTC 2016" ]; then echo "Bad build date"; echo "$(openssl version -a | grep built)"; exit 1; fi | |
| tags: check | |
| - name: "Check that we don't have affected processes running" | |
| shell: > | |
| if [ "$(sudo lsof -n | grep ssl | grep DEL | wc -l)" != "0" ]; then echo "We still have affected processes"; checkrestart; exit 1; fi | |
| tags: check |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment