55 lines
1.5 KiB
YAML
55 lines
1.5 KiB
YAML
|
---
|
||
|
- name: Check OpenSSH server package version and verify CVE-2024-6387 vulnerability
|
||
|
hosts: all
|
||
|
become: yes
|
||
|
gather_facts: yes
|
||
|
vars:
|
||
|
alma9_vulnerable_openssh_versions:
|
||
|
- 8.7p1-30
|
||
|
- 8.7p1-31
|
||
|
- 8.7p1-32
|
||
|
- 8.7p1-33
|
||
|
- 8.7p1-34
|
||
|
- 8.7p1-35
|
||
|
- 8.7p1-36
|
||
|
- 8.7p1-37
|
||
|
- 8.7p1-38
|
||
|
# Alma 8 is not vulnerable (RHEL 6,7,8 also are not vulnerable)
|
||
|
|
||
|
tasks:
|
||
|
- name: "Setting default to not vulnerable"
|
||
|
set_fact:
|
||
|
vulnerable: false
|
||
|
|
||
|
- name: Gather the package facts
|
||
|
ansible.builtin.package_facts:
|
||
|
manager: auto
|
||
|
|
||
|
- name:
|
||
|
set_fact:
|
||
|
openssh_version: "{{ ansible_facts.packages['openssh-server'][0].version }}"
|
||
|
when: "'openssh-server' in ansible_facts.packages"
|
||
|
|
||
|
- name: "Check whether a package is installed"
|
||
|
debug:
|
||
|
msg: "{{ ansible_facts.packages['openssh-server'][0].version }}"
|
||
|
when: "'openssh-server' in ansible_facts.packages"
|
||
|
|
||
|
|
||
|
- name: "Check distribution"
|
||
|
debug:
|
||
|
msg: "{{ ansible_distribution }} {{ ansible_distribution_release }} {{ ansible_distribution_version }}"
|
||
|
|
||
|
- name: "Package is vulnerable"
|
||
|
debug:
|
||
|
msg: "The server openssh version is vulnerable to CVE-2024-6387!!!"
|
||
|
when:
|
||
|
- ansible_distribution == "AlmaLinux"
|
||
|
- ansible_distribution_major_version == "9"
|
||
|
- openssh_version in alma9_vulnerable_openssh_versions
|
||
|
|
||
|
- fail:
|
||
|
msg: "The server openssh version is vulnerable to CVE-2024-6387!!!"
|
||
|
when: vulnerable
|
||
|
|