davidgiesberg/README.md

## README.md

      
    Raw
  

              README.md
            
          
    We added these bits to one of our base cookbooks that gets applied to every node.
Because apt doesn't allow you to specify a minimum version for a package to be installed, I had to build an approximation of that logic in this recipe. Basically, what we do is check for a bash package version that is less than what is specified in the node attributes for that platform. If and only if the installed version is less than the min_pkg_ver attribute, we notify apt_package[bash] to run the :upgrade action. That ought to prevent us from updating bash unnecessarily, but also ensuring that we are never running an unpatched bash.
(Also, handy thing to note is the execute[apt-get update] - that's using the apt cookbook to force an apt-get update to run immediately. If you don't do that, bash won't update until apt has updated AND this chef recipe runs again.

  
## attributes.rb
# Bash vulnerabilities:
#   Address USN-2362-1 http://www.ubuntu.com/usn/usn-2362-1/
#   Address USN-2363-1 http://www.ubuntu.com/usn/usn-2363-1/
#   Address USN-2363-2 http://www.ubuntu.com/usn/usn-2363-2/

if node['platform'] == 'ubuntu'
  case node['platform_version']
  when '14.04'
    default['union']['security']['min_pkg_ver']['bash'] = '4.3-7ubuntu1.3'
  when '12.04'
    default['union']['security']['min_pkg_ver']['bash'] = '4.2-2ubuntu2.3'
  when '10.04'
    default['union']['security']['min_pkg_ver']['bash'] = '4.1-2ubuntu3.2'
  else
    nil
  end
end

## recipe.rb
apt_package 'bash' do
  action :nothing
end

log 'Check for vulnerable bash versions' do
  only_if { node['platform'] == 'ubuntu' && node.deep_fetch('union','security','min_pkg_ver')}
  not_if do
    cmd = Mixlib::ShellOut.new('dpkg -s bash')
    cmd.run_command
    current_bash_version = cmd.stdout.split("\n").select{|line| line =~ /^Version/}.first.split[1]
    current_bash_version >= node['union']['security']['min_pkg_ver']['bash']
  end

  notifies :run, 'execute[apt-get update]', :immediately
  notifies :upgrade, 'apt_package[bash]', :immediately
end
	# Bash vulnerabilities:
	# Address USN-2362-1 http://www.ubuntu.com/usn/usn-2362-1/
	# Address USN-2363-1 http://www.ubuntu.com/usn/usn-2363-1/
	# Address USN-2363-2 http://www.ubuntu.com/usn/usn-2363-2/

	if node['platform'] == 'ubuntu'
	case node['platform_version']
	when '14.04'
	default['union']['security']['min_pkg_ver']['bash'] = '4.3-7ubuntu1.3'
	when '12.04'
	default['union']['security']['min_pkg_ver']['bash'] = '4.2-2ubuntu2.3'
	when '10.04'
	default['union']['security']['min_pkg_ver']['bash'] = '4.1-2ubuntu3.2'
	else
	nil
	end
	end
	apt_package 'bash' do
	action :nothing
	end

	log 'Check for vulnerable bash versions' do
	only_if { node['platform'] == 'ubuntu' && node.deep_fetch('union','security','min_pkg_ver')}
	not_if do
	cmd = Mixlib::ShellOut.new('dpkg -s bash')
	cmd.run_command
	current_bash_version = cmd.stdout.split("\n").select{\|line\| line =~ /^Version/}.first.split[1]
	current_bash_version >= node['union']['security']['min_pkg_ver']['bash']
	end

	notifies :run, 'execute[apt-get update]', :immediately
	notifies :upgrade, 'apt_package[bash]', :immediately
	end