evenme · March 3, 2016 22:45
diff --git a/cve-2016-0800_drown.yml b/cve-2016-0800_drown.yml
 - hosts: all
  gather_facts: true
  become: true
  serial: 1
  vars:
    vulnerable_releases:
      '5': '0.9.8e-37.el5_11'
      '6': '1.0.1e-42.el6_7.2'
      '7': '1.0.1e-51.el7_2.2'
    port: 80
  tasks:
  # - name: disable SELinux
  #   selinux: state=disabled

  - name: check for openssl version
    shell: rpm -q --qf "%{VERSION}-%{RELEASE}" openssl.{{ansible_architecture}}
    register: openssl_version

  - name: check for vulnerable versions
    debug: msg="OpenSSL version  is vulnerable."
    when: openssl_version.stdout|version_compare(vulnerable_releases[ansible_distribution_major_version], '<=')
    register: is_vuln

  - name: update openssl from yum if available
    yum: name=openssl state=latest update_cache=yes
    when: not is_vuln|skipped
    register: installed

  - name: restart_system
    shell: sleep 2 && shutdown -r now "Ansible updates triggered"
    async: 1
    poll: 0
    ignore_errors: true
    when: installed.changed

  - name: waiting for server to come back
    local_action: wait_for host={{ inventory_hostname }}
      port={{ port }}
      state=started
      delay=15
      timeout=300
      connect_timeout=15
    become: false
    when: installed.changed

  - name: check for openssl version
    shell: rpm -q --qf "%{VERSION}-%{RELEASE}" openssl.{{ansible_architecture}}
    register: openssl_version

  - name: show OpenSSL version
    debug: msg="OpenSSL -> {{ openssl_version.stdout }}"

  - name: check that we are no longer vulnerable
    debug: msg="OpenSSL version  is still vulnerable!"
    when: openssl_version.stdout|version_compare(vulnerable_releases[ansible_distribution_major_version], '<=')
	- hosts: all
	gather_facts: true
	become: true
	serial: 1
	vars:
	vulnerable_releases:
	'5': '0.9.8e-37.el5_11'
	'6': '1.0.1e-42.el6_7.2'
	'7': '1.0.1e-51.el7_2.2'
	port: 80
	tasks:
	# - name: disable SELinux
	# selinux: state=disabled

	- name: check for openssl version
	shell: rpm -q --qf "%{VERSION}-%{RELEASE}" openssl.{{ansible_architecture}}
	register: openssl_version

	- name: check for vulnerable versions
	debug: msg="OpenSSL version is vulnerable."
	when: openssl_version.stdout\|version_compare(vulnerable_releases[ansible_distribution_major_version], '<=')
	register: is_vuln

	- name: update openssl from yum if available
	yum: name=openssl state=latest update_cache=yes
	when: not is_vuln\|skipped
	register: installed

	- name: restart_system
	shell: sleep 2 && shutdown -r now "Ansible updates triggered"
	async: 1
	poll: 0
	ignore_errors: true
	when: installed.changed

	- name: waiting for server to come back
	local_action: wait_for host={{ inventory_hostname }}
	port={{ port }}
	state=started
	delay=15
	timeout=300
	connect_timeout=15
	become: false
	when: installed.changed

	- name: check for openssl version
	shell: rpm -q --qf "%{VERSION}-%{RELEASE}" openssl.{{ansible_architecture}}
	register: openssl_version

	- name: show OpenSSL version
	debug: msg="OpenSSL -> {{ openssl_version.stdout }}"

	- name: check that we are no longer vulnerable
	debug: msg="OpenSSL version is still vulnerable!"
	when: openssl_version.stdout\|version_compare(vulnerable_releases[ansible_distribution_major_version], '<=')