CVE-2014-0291 Patch openssl with ansible 漏洞
From PwnWiki
Usage
pip install ansible ansible-playbook -i your_inventory_file patch-openssl-CVE-2015-0291_CVE-2015-0204
192.168.0.10 webserver1.example.com webserver2.example.com db1.example.com
EXP
---
- hosts: all
vars:
openssl_packages: ["openssl", "libssl3"]
openssl_impacted_service:
- nginx
- httpd
- postgresql
- php5-fpm
- openvpn
- postfix
- monit
- zabbix-server
- unbound
tasks:
- name: ensure openssl is the last version
yum: name={{item}} state=latest
register: openssl_updated
with_items: openssl_packages
when: ansible_os_family == "RedHat"
- name: check if service need to be restarted
shell: "lsof -n | grep 'DEL.*libssl3.so'"
register: result_check
failed_when: result_check.stdout.find('unrecognized') != -1 and result_check.rc != 0
changed_when: result_check.stdout.find('unrecognized') == -1 or result_check.rc == 0
always_run: yes
- name: test running services
command: "service {{item}} status | grep -i running"
register: services_status
with_items: openssl_impacted_service
when: result_check.rc == 0 or openssl_updated.changed
ignore_errors: true
always_run: yes
- name: restart running service
service: name={{item.item}} state=restarted
with_items: services_status.results
when: (result_check.rc == 0 or openssl_updated.changed ) and item.rc == 0
- name: ensure no more service need to be restarted
shell: "lsof -n | grep 'DEL.*libssl3.so'"
register: result
failed_when: result.rc == 0
changed_when: result.rc != 1
always_run: yes
