Secure your servers from Shellshock Bash vulnerability using Ansible

Now that all Server Check.in infrastructure is managed by Ansible (some servers are running CentOS, others are running Ubuntu), it's very simple to update all the servers to protect against vulnerabilities like Heartbleed or today's new Shellshock bash vulnerability.

For CentOS (or RedHat)

$ ansible [inventory_group] -m yum -a "name=bash state=latest" [-u remote_username] [-s] [-K]

For Debian (or Ubuntu)

$ ansible [inventory_group] -m apt -a "update_cache=yes name=bash state=latest" [-u remote_username] [-s] [-K]

If you have a different method of patch management, or you need to apply the fixes manually, then this method won't apply—but for most infrastructure using normal system-provided packages, using the above commands will get the fixes with minimal effort.

A little further explanation:

  • The ansible command allows you to run arbitrary commands or configure servers defined in your inventory using Ansible modules ad-hoc.
  • Replace [inventory_group] (including the brackets) with a group you defined in your Ansible inventory—either in /etc/ansible/hosts or in an inventory file (specify the path using -i /path/to/inventory). (Note: If you have all your servers defined in Ansible's global inventory, you can just use all here, and Ansible will run the command on every server*.
  • [-u remote_username] (optional, without brackets) if you need to connect to the servers with a specific user account which is not already configured in your Ansible inventory.
  • [-s] (optional, without brackets) if you need to use sudo, and [-K] (optional, without brackets) if you need to enter a sudo password for your remote user account.

You can use --forks to control how many servers the command will be pushed to at a time; the default is 5, but if you have many servers, and a fast network connection, you could push this up much higher to get the servers updated more quickly!

[Update: Also, you could create a playbook like the one in this comment by jimi-c and run it against all your servers; it runs the proper commands on each platform, and confirms the vulnerability is fixed!]

[Update 2: The September 24th bash fix does not completely close the security hole, so be ready to run the updates again! Further incentive to make sure you have your entire infrastructure in your Ansible inventory...]

*Note that it might be a good idea, especially if you have mixed infrastructure (Arch, Debian, CentOS, etc.), to use dynamic inventories or create groups for each OS, so you can run commands like these like ansible centos [command].