diff --git a/README.md b/README.md index 7c0c077..dc7c4cb 100644 --- a/README.md +++ b/README.md @@ -16,10 +16,10 @@ Code also available as Ansible Galaxy role [lucab85.ansible_role_log4shell](http ansible-galaxy install lucab85.ansible_role_log4shell ``` -## How to run +## How to run the Ansible Playbook Default variables scan all the `/var/` path for affected files. -Customize the `vars.yml` file for more options. +You could customize the `vars.yml` file for more options. ```bash ansible-playbook log4j-cve-2021-44228.yml @@ -52,9 +52,26 @@ delete_after: false verify_gpg: true ``` -## demo execution +- sh_detector: the filename of the detector bash script file +- sh_signature: the filename of the detector GPG signature file +- detector_baseurl: the base URL to download the previous files +- detector_path: the path to inspect (default `/var/`) +- detector_dir: the download path of the detector (default `detector_dir`) +- detector_run_dir: the subdirectory to create before the run (default `tmp`) +- detector_options: the command lines options for detector script (default `-n -d --no-progress --scan {{ detector_path }}`) +- gpg_keyid: the GPG public key to download for the verification (default Red Hat Product Security `7514F77D8366B0D9`) +- clean_run_before: remove the run directory and recreate before the execution - detector requires empty directory (default `true`) +- delete_after: remove the _detector_dir_ the execution (default `false`) +- verify_gpg: perform the GPG signature donwload and verification (default: `true`) + + +## Demo execution + +The full output of the execution of the playbook against the RHEL8 demo target host: ```bash +$ ansible-playbook log4j-cve-2021-44228.yml + PLAY [detector for Apache Log4j (CVE-2021-44228)] ****************************** TASK [Gathering Facts] ********************************************************* @@ -64,14 +81,16 @@ TASK [include_vars] ************************************************************ ok: [demo] TASK [dependency present] ****************************************************** -ok: [demo] +changed: [demo] TASK [create detector directory] *********************************************** -ok: [demo] +changed: [demo] + +TASK [download detector file] ************************************************** +changed: [demo] -TASK [download detector file(s)] *********************************************** -ok: [demo] => (item=cve-2021-44228--2021-12-20-1836.sh) -ok: [demo] => (item=cve-2021-44228--2021-12-20-1836.sh.asc) +TASK [download detector signature] ********************************************* +changed: [demo] TASK [gpg public key] ********************************************************** changed: [demo] @@ -80,7 +99,7 @@ TASK [gpg verify detector] ***************************************************** changed: [demo] TASK [remove any detector run directory] *************************************** -changed: [demo] +ok: [demo] TASK [create detector run directory] ******************************************* changed: [demo] @@ -88,7 +107,7 @@ changed: [demo] TASK [run detector/scanner] **************************************************** changed: [demo] -TASK [files in detector run directory] ************ +TASK [files in detector run directory] ***************************************** ok: [demo] TASK [print vulnerable path(s) found] ****************************************** @@ -108,7 +127,7 @@ TASK [remove detector directory] *********************************************** skipping: [demo] PLAY RECAP ********************************************************************* -demo : ok=12 changed=5 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0 +demo : ok=13 changed=8 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0 ``` diff --git a/log4j-cve-2021-44228.yml b/log4j-cve-2021-44228.yml index 85721ac..a426a7b 100644 --- a/log4j-cve-2021-44228.yml +++ b/log4j-cve-2021-44228.yml @@ -7,7 +7,11 @@ - name: dependency present ansible.builtin.package: - name: unzip + name: + - unzip + - gpg + - dirmngr + - file state: present update_cache: true @@ -16,31 +20,37 @@ path: '{{ detector_dir }}' state: directory - - name: download detector file(s) + - name: download detector file ansible.builtin.get_url: - url: "{{ detector_baseurl }}{{ item }}" - dest: "{{ detector_dir }}{{ item }}" + url: "{{ detector_baseurl }}{{ sh_detector }}" + dest: "{{ detector_dir }}{{ sh_detector }}" mode: '0755' owner: root group: root - with_items: - - '{{ sh_detector }}' - - '{{ sh_signature }}' + + - name: download detector signature + ansible.builtin.get_url: + url: "{{ detector_baseurl }}{{ sh_signature }}" + dest: "{{ detector_dir }}{{ sh_signature }}" + mode: '0644' + owner: root + group: root + when: verify_gpg - name: gpg public key - ansible.builtin.shell: '{{ gpg_public_key }}' - when: verify_gpg == true + ansible.builtin.command: '{{ gpg_public_key }}' + when: verify_gpg - name: gpg verify detector - ansible.builtin.shell: > - 'gpg --verify {{ detector_dir }}{{ sh_signature }} {{ detector_dir }}{{ sh_detector }}' - when: verify_gpg == true + ansible.builtin.command: >- + gpg --verify {{ detector_dir }}{{ sh_signature }} {{ detector_dir }}{{ sh_detector }} + when: verify_gpg - name: remove any detector run directory ansible.builtin.file: path: '{{ detector_dir }}{{ detector_run_dir }}' state: absent - when: clean_run_before == true + when: clean_run_before - name: create detector run directory ansible.builtin.file: @@ -48,8 +58,8 @@ state: directory - name: run detector/scanner - ansible.builtin.shell: > - '{{ detector_dir }}{{ sh_detector }} {{ detector_options }} --tmp {{ detector_dir }}{{ detector_run_dir }}' + ansible.builtin.command: >- + {{ detector_dir }}{{ sh_detector }} {{ detector_options }} --tmp {{ detector_dir }}{{ detector_run_dir }} - name: files in detector run directory ansible.builtin.find: @@ -64,4 +74,4 @@ ansible.builtin.file: path: '{{ detector_dir }}' state: absent - when: delete_after == true + when: delete_after