【发布时间】:2014-09-24 19:01:40
【问题描述】:
鉴于bash's remote code execution vulnerability announced on Sept 24 2014,我如何使用 Ansible 更新基于 apt 的系统?
【问题讨论】:
标签: ubuntu patch ansible apt shellshock-bash-bug
鉴于bash's remote code execution vulnerability announced on Sept 24 2014,我如何使用 Ansible 更新基于 apt 的系统?
【问题讨论】:
标签: ubuntu patch ansible apt shellshock-bash-bug
这是我在相当同质的环境中首选的解决方案。这样做的好处是,与其他人使用的 version=latest 模式不同,未来更新不会花费太多时间。
- name: update apt cache if not done today
apt: update_cache=yes cache_valid_time=86400
# http://seclists.org/oss-sec/2014/q3/650
- name: ensure secure ansible, ubuntu 1204 edition
apt: pkg=bash=4.2-2ubuntu2.5 state=present
when: ansible_distribution=='Ubuntu' and ansible_distribution_version=='12.04'
- name: ensure secure ansible, ubuntu 1404 edition
apt: pkg=bash=4.3-7ubuntu1.3 state=present
when: ansible_distribution=='Ubuntu' and ansible_distribution_version=='14.04'
# based on the following gist and comments below. there have been several exploits, this covers them well.
# https://gist.github.com/kacy/2b9408af04c71fab686e
- name: ensure bash is not vulnerable to 201409 problem
shell: "foo='() { echo not patched; }' bash -c foo"
register: command_result
ignore_errors: yes
failed_when: "'command not found' not in command_result.stderr"
解释:如果每天多次更新 apt-cache 会很昂贵。缓存时间可以调整。代码实际测试以确保漏洞得到修复——测试是好的。这将突出显示未包含在编码的发行版/版本中的所有主机。
SO 用户@jarv posted a great solution 也是。它不会总是更新 apt,而是仅在问题尚未解决时才更新。这是可能的最快解决方案(至少在这个答案中)。 jarv 还有added a distribution test in the linked repo,对异构环境很有用。
- name: Check if we are vulnerable
shell: executable=/bin/bash env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
register: test_vuln
- name: Apply bash security update if we are vulnerable
apt: name=bash state=latest update_cache=true
when: "'vulnerable' in test_vuln.stdout"
- name: Check again and fail if we are still vulnerable
shell: executable=/bin/bash env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
when: "'vulnerable' in test_vuln.stdout"
register: test_vuln
failed_when: "'vulnerable' in test_vuln.stdout"
还有其他方法。 Ansible 的创建者 Michael DeHaan 和官方 @ansible 帐户在推特上发布了一些解决方案:
ansible all -m apt -a 'update_cache=yes name=bash state=latest'
Here's a update-and-check solution:
- name: update apt
command: apt-get update
- name: update bash
command: apt-get --only-upgrade install bash
- name: check bash fix
command: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
register: command_result
failed_when: "'error' not in command_result.stderr"
【讨论】:
foo='() { echo not patched; }' bash -c foo