Skip to content

Instantly share code, notes, and snippets.

@carsongee
Last active July 5, 2017 02:23
Show Gist options
  • Save carsongee/10137729 to your computer and use it in GitHub Desktop.
Save carsongee/10137729 to your computer and use it in GitHub Desktop.
Heartbeat / Heartbleed SSL Ansible check and correct play for Ubuntu
---
# Patches openssl problem and restarts needed services
- name: Apply common configration to all nodes
hosts: all
sudo: yes
# Uncomment to apply update one server at a time
# serial: 1
tasks:
- name: "Install packages and update cache"
apt: pkg="{{ item }}" state=latest update_cache=yes
with_items:
- libssl1.0.0
- openssl
- debian-goodies
- name: "Restart Services known to be affected"
service: name={{ item }} state=restarted
with_items:
- ssh
- nginx
- whoopsie
- snmpd
- ntp
- supervisor
- postfix
- apache
- shibd
ignore_errors: yes
- name: "Check that we are safe"
shell: >
if [ "$(openssl version -a | grep built)" != "built on: Mon Apr 7 20:33:29 UTC 2014" ]; then echo "Bad build date"; echo "$(openssl version -a | grep built)"; exit 1; fi
tags: check
- name: "Check that we don't have affected processes running"
shell: >
if [ "$(sudo lsof -n | grep ssl | grep DEL | wc -l)" != "0" ]; then echo "We still have affected processes"; checkrestart; exit 1; fi
tags: check
@mxxcon
Copy link

mxxcon commented Apr 10, 2014

You might want to restart those services through a handler. No point in bouncing all of them if no new packages got installed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment