Merge pull request #1578 from edx/cg/add_security_fixes

Add play for fixing and checking bash vulnerability

Merge pull request #1578 from edx/cg/add_security_fixes
Add play for fixing and checking bash vulnerability
65d93334 · John Jarvis · c09f9b94 · 149fff01 · 65d93334 · 65d93334
Commit 65d93334 authored Sep 24, 2014 by John Jarvis
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 0 deletions

playbooks/roles/common/defaults/main.yml
+1 -0

playbooks/roles/common/tasks/main.yml
+5 -0

playbooks/roles/common/tasks/security-ubuntu.yml
+8 -0

playbooks/security.yml
+7 -0

No files found.
--- a/playbooks/roles/common/defaults/main.yml
+++ b/playbooks/roles/common/defaults/main.yml
@@ -43,6 +43,7 @@ COMMON_CUSTOM_DHCLIENT_CONFIG: false
 COMMON_MOTD_TEMPLATE: "motd.tail.j2"
 COMMON_SSH_PASSWORD_AUTH: "no"

+COMMON_SECURITY_UPDATES: no
 # These are three maintenance accounts across all databases
 # the read only user is is granted select privs on all dbs
 # the admin user is granted create user privs on all dbs

--- a/playbooks/roles/common/tasks/main.yml
+++ b/playbooks/roles/common/tasks/main.yml
 ---
+- include: security-ubuntu.yml
+  when:
+    - COMMON_SECURITY_UPDATES|bool
+    - ansible_distribution == 'Ubuntu'    
+
 - name: Add user www-data
  # This is the default user for nginx
  user: >

--- a/playbooks/roles/common/tasks/security-ubuntu.yml
+++ b/playbooks/roles/common/tasks/security-ubuntu.yml
+
+- name: Apply bash security update
+  apt: name=bash state=latest update_cache=true
+
+- name: Check and fail if we are still vulnerable
+  shell: excutable=bash env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
+  register: test_vuln
+  failed_when: "'vulnerable' in test_vuln.stdout"
--- a/playbooks/security.yml
+++ b/playbooks/security.yml
+- name: Apply Upgrade for bash vulnerability in Ubuntu
+  hosts: all
+  sudo: yes
+  vars:
+    COMMON_SECURITY_UPDATES: yes
+  roles:
+    - common