4

鉴于2014 年 9 月 24 日宣布的 bash 远程代码执行漏洞,我如何使用 Ansible 更新基于 apt 的系统?

4

1 回答 1

4

这是我在相当同质的环境中的首选解决方案。这样做的好处是将来更新不会花费很多时间,这与version=latest其他人使用的模式不同。

- name: update apt cache if not done today
  apt: update_cache=yes cache_valid_time=86400

# http://seclists.org/oss-sec/2014/q3/650
- name: ensure secure ansible, ubuntu 1204 edition
  apt: pkg=bash=4.2-2ubuntu2.5 state=present
  when: ansible_distribution=='Ubuntu' and ansible_distribution_version=='12.04'

- name: ensure secure ansible, ubuntu 1404 edition
  apt: pkg=bash=4.3-7ubuntu1.3 state=present
  when: ansible_distribution=='Ubuntu' and ansible_distribution_version=='14.04'

# based on the following gist and comments below. there have been several exploits, this covers them well.
# https://gist.github.com/kacy/2b9408af04c71fab686e
- name: ensure bash is not vulnerable to 201409 problem
  shell: "foo='() { echo not patched; }' bash -c foo"
  register: command_result
  ignore_errors: yes
  failed_when: "'command not found' not in command_result.stderr"

说明:如果每天多次更新 a​​pt-cache 会很昂贵。缓存时间可以调整。代码实际测试以确保漏洞得到修复——测试是好的。这将突出显示未包含在编码的发行版/版本中的任何主机。

所以用户@jarv 也发布了一个很好的解决方案。不是总是更新apt,而是仅在问题尚未解决时才这样做。这是可能的最快解决方案(至少在这个答案中)。jarv 还在链接的 repo 中添加了一个分发测试,这对异构环境很有用。

- name: Check if we are vulnerable
  shell: executable=/bin/bash env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
  register: test_vuln

- name: Apply bash security update if we are vulnerable
  apt: name=bash state=latest update_cache=true
  when: "'vulnerable' in test_vuln.stdout"

- name: Check again and fail if we are still vulnerable
  shell: executable=/bin/bash env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
  when: "'vulnerable' in test_vuln.stdout"
  register: test_vuln
  failed_when: "'vulnerable' in test_vuln.stdout"

还有其他方法。Ansible 的创建者 Michael DeHaan 和官方 @ansible 帐户在推特上发布了一些解决方案:

这是一个单行

ansible all -m apt -a 'update_cache=yes name=bash state=latest'

这是一个更新和检查解决方案

- name: update apt
  command: apt-get update

- name: update bash
  command: apt-get --only-upgrade install bash

- name: check bash fix
  command: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  register: command_result
  failed_when: "'error' not in command_result.stderr"
于 2014-09-24T19:01:40.167 回答