Last active
August 29, 2015 13:58
-
-
Save jjneely/10289602 to your computer and use it in GitHub Desktop.
Ansible Playbook for dealing with Heartbleed
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# Much lifted from https://gist.github.com/carsongee/10137729 | |
# Make our target groups | |
- hosts: all | |
sudo: true | |
tasks: | |
# Grouping is usually done by role/function rather than OS type | |
# but this is easily generated | |
- name: Build groups based on OS type | |
group_by: key={{ ansible_lsb.codename }} | |
# Push the updates: Heartbleed affects Ubuntu 12.04, 12.10, 13.10 | |
- hosts: "precise:quantal:saucy" | |
sudo: true | |
# no need to gather facts a second time | |
gather_facts: false | |
serial: true | |
tasks: | |
- name: "Install packages and update cache" | |
apt: pkg="{{ item }}" state=latest update_cache=yes | |
with_items: | |
- libssl1.0.0 | |
- openssl | |
- debian-goodies | |
- name: "Restart Services known to be affected" | |
# Not everyone has cond_restart, or is a SysV script, only restart | |
# if we are running in the first place. | |
shell: > | |
service {{ item }} status && service {{ item }} restart | |
with_items: | |
- ssh | |
- whoopsie | |
- ntp | |
- postfix | |
- nagios-nrpe-server | |
- openvpn | |
- chef-client | |
ignore_errors: yes | |
- name: "Check that we are safe" | |
shell: > | |
if [ "$(openssl version -a | grep built)" != "built on: Mon Apr 7 20:33:29 UTC 2014" ]; then echo "Bad build date"; echo "$(openssl version -a | grep built)"; exit 1; fi | |
tags: check | |
- name: "Check that we don't have affected processes running" | |
shell: > | |
if [ "$(sudo lsof -n | grep ssl | grep DEL | wc -l)" != "0" ]; then echo "We still have affected processes"; checkrestart; exit 1; fi | |
tags: check |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment