Fixing Heartbleed with Ansible

heartbleed_ansible

First of all: this is a re-post of an article from another blog, I do not want to take someone else credit! You can find original post HERE ūüėČ
Many thanks to its author, you save lot of my time!

Just want to share it since it was really useful in fixing a bunch of servers at once, so you can use “my” solution or simply go to the original post and check¬†another alternatives.

Basic idea is to use Ansible to update OpenSSL on all you server and restart all impacted services.
Simple and effective! Find the original script here: https://github.com/jdauphant/patch-openssl-CVE-2014-0160/blob/master/patch-openssl-CVE-2014-0160.yml

My only addition are sudo and remote_user siche my playbook set expect them into the playbook itself:

---
 - hosts: all
   remote_user: my_sudo_user
   sudo: True
   vars:
     openssl_packages: ["openssl","libssl1.0.0"]
     openssl_impacted_service:
        - nginx
        - apache2
        - postgresql
        - php5-fpm
        - openvpn
        - postfix
        - monit
        - zabbix-server
   tasks:
     - name: ensure openssl is the last version
       apt: pkg={{item}} state=latest update_cache=yes
       register: openssl_updated
       with_items: openssl_packages
       when: ansible_os_family == "Debian"
     - name: check if service need to be restarted
       shell: "lsof -n | grep 'DEL.*libssl.so'"
       register: result_check
       failed_when: result_check.rc > 1
       changed_when: result_check.rc != 1
       always_run: yes
     - name: test running services
       command: "service {{item}} status | grep -i running"
       register: services_status
       with_items: openssl_impacted_service
       when: result_check.rc == 0 or openssl_updated.changed
       ignore_errors: true
       always_run: yes
     - name: restart running service
       service: name={{item.item}} state=restarted
       with_items: services_status.results
       when: (result_check.rc == 0 or openssl_updated.changed ) and item.rc == 0
     - name: ensure no more service need to be restarted
       shell: "lsof -n | grep 'DEL.*libssl.so'"
       register: result
       failed_when: result.rc == 0
       changed_when: result.rc != 1
       always_run: yes
Annunci

Rispondi

Inserisci i tuoi dati qui sotto o clicca su un'icona per effettuare l'accesso:

Logo WordPress.com

Stai commentando usando il tuo account WordPress.com. Chiudi sessione /  Modifica )

Google+ photo

Stai commentando usando il tuo account Google+. Chiudi sessione /  Modifica )

Foto Twitter

Stai commentando usando il tuo account Twitter. Chiudi sessione /  Modifica )

Foto di Facebook

Stai commentando usando il tuo account Facebook. Chiudi sessione /  Modifica )

Connessione a %s...