evandhoffman/poodle_audit.sh

## poodle_audit.sh
#/bin/bash
# To audit, I tried the bash script here https://gist.github.com/aastaneh/46ceb03150e5284b8a3a but it didn't work,
# so here's my version.  It doesn't attempt to check internal ELBs (prefixed with 'internal').

for ELB in $( aws elb describe-load-balancers | grep DNSName | awk '{ print $2 }' | perl -ne 'chomp; $_  =~ /\"([\w-\.]+)\",/; my $elb = $1; print "$elb " unless $elb =~ /^internal/'); do
  echo "$ELB ";
  echo "01 logout" | openssl s_client -ssl3 -connect $ELB:443 2>&1 | grep DONE &> /dev/null
  if [[ "$?" -ne "1" ]]; then
    echo FAIL
  else
    echo PASS
  fi
done

## poodle_update.sh
# The below commands attempt to update every ELB's listener on port 443.
# If it doesn't have a listener on 443, it emits an error and continues running.

# Make sure this is a recent version of awscli
$ aws --version
aws-cli/1.4.3 Python/2.7.5 Darwin/13.4.0

# Create a policy for each ELB based on ELBSecurityPolicy-2014-10
$ for i in `aws elb describe-load-balancers | grep LoadBalancerName | awk '{print $2}' | perl -ne 'chomp; $_  =~ /\"([\w-]+)\",/; print "$1 ";'` ; do aws elb create-load-balancer-policy --load-balancer-name $i --policy-name Poodle-20141015 --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-2014-10 ; done

# Apply the new policy to each ELB
$ for i in `aws elb describe-load-balancers | grep LoadBalancerName | awk '{print $2}' | perl -ne 'chomp; $_  =~ /\"([\w-]+)\",/; print "$1 ";'` ; do aws elb set-load-balancer-policies-of-listener --load-balancer-name $i --load-balancer-port 443 --policy-names Poodle-20141015 ; done
	#/bin/bash
	# To audit, I tried the bash script here https://gist.github.com/aastaneh/46ceb03150e5284b8a3a but it didn't work,
	# so here's my version. It doesn't attempt to check internal ELBs (prefixed with 'internal').

	for ELB in $( aws elb describe-load-balancers \| grep DNSName \| awk '{ print $2 }' \| perl -ne 'chomp; $_ =~ /\"([\w-\.]+)\",/; my $elb = $1; print "$elb " unless $elb =~ /^internal/'); do
	echo "$ELB ";
	echo "01 logout" \| openssl s_client -ssl3 -connect $ELB:443 2>&1 \| grep DONE &> /dev/null
	if [[ "$?" -ne "1" ]]; then
	echo FAIL
	else
	echo PASS
	fi
	done
	# The below commands attempt to update every ELB's listener on port 443.
	# If it doesn't have a listener on 443, it emits an error and continues running.

	# Make sure this is a recent version of awscli
	$ aws --version
	aws-cli/1.4.3 Python/2.7.5 Darwin/13.4.0

	# Create a policy for each ELB based on ELBSecurityPolicy-2014-10
	$ for i in `aws elb describe-load-balancers \| grep LoadBalancerName \| awk '{print $2}' \| perl -ne 'chomp; $_ =~ /\"([\w-]+)\",/; print "$1 ";'` ; do aws elb create-load-balancer-policy --load-balancer-name $i --policy-name Poodle-20141015 --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-2014-10 ; done

	# Apply the new policy to each ELB
	$ for i in `aws elb describe-load-balancers \| grep LoadBalancerName \| awk '{print $2}' \| perl -ne 'chomp; $_ =~ /\"([\w-]+)\",/; print "$1 ";'` ; do aws elb set-load-balancer-policies-of-listener --load-balancer-name $i --load-balancer-port 443 --policy-names Poodle-20141015 ; done