jrgifford
5/3/2016 - 5:20 PM

CVE-2016-2108 SSL Ansible check and correct play for Ubuntu

CVE-2016-2108 SSL Ansible check and correct play for Ubuntu

---
# Patches openssl problem and restarts needed services
- name: Apply common configration to all nodes
  hosts: all
  sudo: yes
  # Uncomment to apply update one server at a time
  # serial: 1
  tasks:

    - name: "Install packages and update cache"
      apt: pkg="{{ item }}" state=latest update_cache=yes
      with_items:
        - libssl1.0.0
        - openssl
        - debian-goodies
  
    - name: "Restart Services known to be affected"
      service: name={{ item }} state=restarted
      with_items:
        - ssh
        - nginx
        - whoopsie
        - snmpd
        - ntp
        - supervisor
        - postfix
        - apache
        - shibd
      ignore_errors: yes

    - name: "Check that we are safe"
      shell: >
        if [ "$(openssl version -a | grep built)" != "built on: Mon May  2 16:53:18 UTC 2016" ]; then echo "Bad build date"; echo "$(openssl version -a | grep built)"; exit 1; fi
      tags: check

    - name: "Check that we don't have affected processes running"
      shell: >
        if [ "$(sudo lsof -n | grep ssl | grep DEL | wc -l)" != "0" ]; then echo "We still have affected processes"; checkrestart; exit 1; fi
      tags: check