Created
October 1, 2014 00:26
-
-
Save barn/7449624c797fca2b4c64 to your computer and use it in GitHub Desktop.
Ohai 6 version of bash.rb for shellshock testing in Chef. From https://www.getchef.com/blog/2014/09/30/detecting-repairing-shellshock-with-chef/ Find hosts via knife search node -i 'languages_bash_shellshock_vulnerable:true'
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Taken from | |
| # https://www.getchef.com/blog/2014/09/30/detecting-repairing-shellshock-with-chef/ | |
| # and https://gist.github.com/juliandunn/5bdd11618077573787f8#file-bash-rb | |
| # for the CVE-2014-6271 et al Bash vulns. | |
| # Regrettably, that's an ohai 7 version, so that doesn't work. Ohai 6 for lyfe. | |
| # | |
| provides 'languages/bash' | |
| require_plugin 'languages' | |
| def bash_version | |
| cmd = 'bash --version' | |
| _, stdout, _ = run_command(:command => cmd) | |
| stdout.split("\n").first.strip | |
| end | |
| def bash_vulnerable? | |
| cmd = <<ENDCMD | |
| env x='() { :;}; echo Your bash is very likely vulnerable as this exited 0. Non-vulnerable bash will exit 1' bash -c 'echo this is a test' | grep -q 'Your bash' > /dev/null 2>&1 | |
| ENDCMD | |
| begin | |
| rc, _, _ = run_command(:command => cmd) | |
| rescue Ohai::Exceptions::Exec | |
| # ignore this exception, as this is what we are testing for! | |
| end | |
| rc == 0 | |
| end | |
| bash = Mash.new | |
| bash[:version] = bash_version | |
| bash[:shellshock_vulnerable] = bash_vulnerable? | |
| languages[:bash] = bash |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment