cvecheck.yaml

---
# Ansible playbook to download CVE checking script from redhat.com,
# and testing all RedHat OS Family hosts.
#
# Stig Sandbeck Mathisen <ssm@fnord.no>
#
- hosts: localhost
  connection: local

  tasks:
    - name: Download check script for CVE-2016-5195
      get_url:
        url: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh
        dest: rh-cve-2016-5195_1.sh

    - name: Validate checksum
      command: sha256sum rh-cve-2016-5195_1.sh
      register: command_result
      failed_when: >-
        '9f704658db92a719b14cccf5efe3dd3e9f2f42e1752923505c0cf8349327396a'
        not in command_result.stdout

- hosts: all
  become: true
  become_user: root

  tasks:

    - name: Run check for CVE-2016-5195
      script: rh-cve-2016-5195_1.sh
      when: ansible_os_family == "RedHat"
      register: cvecheck
      changed_when: False
      failed_when: cvecheck.rc > 3

    - name: Evaluate results
      debug:
        var: cvecheck.stdout_lines
      when: ansible_os_family == "RedHat" and cvecheck.rc > 0
      failed_when:
        cvecheck.stdout.find('IS vulnerable') != -1