-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathsite.yml
133 lines (116 loc) · 3.68 KB
/
site.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
---
# vim: sw=2 ai expandtab ts=2
- name: Download check scripts
hosts: Download
gather_facts: false
force_handlers: true
connection: local
tasks:
- name: Create script_file
run_once: true
tempfile:
register: script_file
- name: Download script locally
run_once: true
get_url:
dest: "{{ script_file.path }}"
url: "{{ ScriptUrl }}"
force: yes
- name: Check gpg2 is installed
when: ScriptGpgSigUrl is defined and ScriptGpgSigUrl | length > 0
run_once: true
command: /usr/bin/which gpg2
changed_when: false
failed_when: false
register: gpg2
- name: Download script gpg2 sig locally
when: gpg2.stdout | default('')
run_once: true
get_url:
dest: "{{ script_file.path }}.asc"
url: "{{ ScriptGpgSigUrl }}"
mode: 0600
force: yes
- name: Check hosts for meltdown and spectre
hosts: Check
gather_facts: false
force_handlers: true
connection: smart
vars:
gpg2: "{{ hostvars.localhost.gpg2 }}"
script_file: "{{ hostvars.localhost.script_file }}"
handlers:
- name: remove script_file
listen: remove temp files
connection: local
run_once: true
file:
path: "{{ script_file.path }}"
state: absent
- name: remove script_file_sig
listen: remove temp files
when: gpg2.stdout | default('')
connection: local
run_once: true
file:
path: "{{ script_file.path }}.asc"
state: absent
- name: remove remote_script
listen: remove remote temp files
file:
path: "{{ remote_script_file.path }}"
state: absent
tasks:
- name: ensure temp files are removed
run_once: true
set_fact:
changed_when: true
notify: remove temp files
- name: check gpg2 signature of script
connection: local
run_once: true
when: gpg2.stdout | default('')
command: "{{ gpg2.stdout }} --auto-key-locate keyserver --keyserver hkp://keys.gnupg.net --keyserver-options auto-key-retrieve {{ script_file.path }}.asc"
- name: Create remote script_file
tempfile:
register: remote_script_file
notify: remove temp files
- name: Copy script to server
copy:
src: "{{ script_file.path }}"
dest: "{{ remote_script_file.path }}"
mode: 0755
notify: remove remote temp files
- name: execute script
become: "{{ ansible_user != 'root' }}"
register: script_output
command: "{{ remote_script_file.path }}"
failed_when: |
script_output.rc not in [ 0, 2, 4, 6, 8, 10, 12, 14 ]
or 'For more information about the vulnerabilities see:' not in script_output.stdout_lines
- name: remove temp files
meta: flush_handlers
- name: check that debugfs was mounted
fail:
msg: "debugfs wasn't readable - running remote script as root?"
when: |
'/sys/kernel/debug/x86 is either not mounted or not accessible' in script_output.stdout_lines
- name: map vulnerabilites
set_fact:
v_map:
Spectre1: "{{ (2).__and__(script_output.rc | int) == (2) }}"
Spectre2: "{{ (4).__and__(script_output.rc | int) == (4) }}"
Meltdown: "{{ (8).__and__(script_output.rc | int) == (8) }}"
- name: highlight vulnerabilites
register: vulnerabilites
changed_when: "v_map[item] == True"
set_fact:
junk: false
with_items:
- Spectre1
- Spectre2
- Meltdown
- name: Error if vulnerabilities
when: vulnerabilites.changed
fail:
msg: "found vulnerabilites: {{ dict(v_map.items() | selectattr('1') | list ).keys() | join(', ') }}"