ansible_role_log4shell

lucab85.ansible_role_log4shell

CI Release

Ansible role to scan target Linux hosts using the official Red Hat Log4j detector script RHSB-2021-009 for Log4Shell (CVE-2021-44228).

Tested with Red Hat version 1.3 detector 2022-01-10.

Ansible Playbook

Code also available as Ansible Playbook lucab85/log4j-cve-2021-44228

Requirements

ansible 2.9+

Role Variables

The default variable values - defaults/main.yml:

sh_detector: "cve-2021-44228--2022-01-10-1242.sh"
sh_signature: 'cve-2021-44228--2022-01-10-1242.sh.asc'
detector_baseurl: 'https://access.redhat.com/sites/default/files/'
detector_path: "/var/"
detector_dir: "/opt/cve-2021-44228/"
detector_run_dir: 'tmp'
detector_options: '-n -d --no-progress --scan {{ detector_path }}'
gpg_keyid: '7514F77D8366B0D9'
gpg_server: "pgp.mit.edu"
clean_run_before: true
delete_after: true
verify_gpg: false
  • sh_detector: the filename of the detector bash script file
  • sh_signature: the filename of the detector GPG signature file
  • detector_baseurl: the base URL to download the previous files
  • detector_path: the path to inspect (default /var/)
  • detector_dir: the download path of the detector (default detector_dir - /opt/cve-2021-44228/) Note: volume requires exec permission!
  • detector_run_dir: the subdirectory to create before the run (default tmp)
  • detector_options: the command lines options for detector script (default -n -d --no-progress --scan {{ detector_path }})
  • gpg_keyid: the GPG public key to download for the verification (default Red Hat Product Security 7514F77D8366B0D9)
  • gpg_server: the GPG server where to download the GPG public key (default pgp.mit.edu)
  • clean_run_before: remove the run directory and recreate before the execution - detector requires an empty directory (default true)
  • delete_after: remove the detector_dir after the execution (default false)
  • verify_gpg: perform the GPG signature download and verification (default: false)

Dependencies

None.

Download

First download the latest version of Ansible role lucab85.ansible_role_log4shell Ansible Galaxy:

ansible-galaxy install lucab85.ansible_role_log4shell

Example Playbook

This is an example of how to use the lucab85.ansible_role_log4shell role (with variables passed in as parameters):

---
- name: run detector
  hosts: all
  become: true
  roles:
    - role: lucab85.ansible_role_log4shell
      detector_path: "/var/www"

License

MIT / BSD

Author Information

This role was created in 2021 by Luca Berton, author of Ansible Pilot.

Ansible Pilot

More information:

Thank you for supporting me:

About

Ansible playbook to verify target Linux hosts using the official Red Hat Log4j detector script RHSB-2021-009 version 1.2 2021-12-20 for Log4Shell (CVE-2021-44228).

Install
ansible-galaxy install lucab85/ansible-role-log4shell
GitHub repository
License
mit
Downloads
255
Owner
Ansible Automation Engineer with Open Source passion: (Ansible, Progressive Web Applications, Cloud Computing, IoT, GNU/Linux)