ansible_role_log4shell
lucab85.ansible_role_log4shell
Ansible role to scan target Linux hosts using the official Red Hat Log4j detector script RHSB-2021-009 for Log4Shell (CVE-2021-44228).
Tested with Red Hat version 1.3 detector 2022-01-10.
Ansible Playbook
Code also available as Ansible Playbook lucab85/log4j-cve-2021-44228
Requirements
ansible 2.9+
Role Variables
The default variable values - defaults/main.yml
:
sh_detector: "cve-2021-44228--2022-01-10-1242.sh"
sh_signature: 'cve-2021-44228--2022-01-10-1242.sh.asc'
detector_baseurl: 'https://access.redhat.com/sites/default/files/'
detector_path: "/var/"
detector_dir: "/opt/cve-2021-44228/"
detector_run_dir: 'tmp'
detector_options: '-n -d --no-progress --scan {{ detector_path }}'
gpg_keyid: '7514F77D8366B0D9'
gpg_server: "pgp.mit.edu"
clean_run_before: true
delete_after: true
verify_gpg: false
sh_detector
: the filename of the detector bash script filesh_signature
: the filename of the detector GPG signature filedetector_baseurl
: the base URL to download the previous filesdetector_path
: the path to inspect (default/var/
)detector_dir
: the download path of the detector (defaultdetector_dir
-/opt/cve-2021-44228/
) Note: volume requires exec permission!detector_run_dir
: the subdirectory to create before the run (defaulttmp
)detector_options
: the command lines options for detector script (default-n -d --no-progress --scan {{ detector_path }}
)gpg_keyid
: the GPG public key to download for the verification (default Red Hat Product Security7514F77D8366B0D9
)gpg_server
: the GPG server where to download the GPG public key (defaultpgp.mit.edu
)clean_run_before
: remove the run directory and recreate before the execution - detector requires an empty directory (defaulttrue
)delete_after
: remove the detector_dir after the execution (defaultfalse
)verify_gpg
: perform the GPG signature download and verification (default:false
)
Dependencies
None.
Download
First download the latest version of Ansible role lucab85.ansible_role_log4shell Ansible Galaxy:
ansible-galaxy install lucab85.ansible_role_log4shell
Example Playbook
This is an example of how to use the lucab85.ansible_role_log4shell
role (with variables passed in as parameters):
---
- name: run detector
hosts: all
become: true
roles:
- role: lucab85.ansible_role_log4shell
detector_path: "/var/www"
License
MIT / BSD
Author Information
This role was created in 2021 by Luca Berton, author of Ansible Pilot.
Ansible Pilot
More information:
Donate
Thank you for supporting me:
About
Ansible playbook to verify target Linux hosts using the official Red Hat Log4j detector script RHSB-2021-009 version 1.2 2021-12-20 for Log4Shell (CVE-2021-44228).
Install
ansible-galaxy install lucab85/ansible-role-log4shell
License
mit
Downloads
255
Owner
Ansible Automation Engineer with Open Source passion: (Ansible, Progressive Web Applications, Cloud Computing, IoT, GNU/Linux)