Added ubuntu test
This commit is contained in:
Eliezer Croitoru
parent
5c718043fa
commit
63bea35c76
96
2024-6387/check-ubuntu.yml
Normal file
96
2024-6387/check-ubuntu.yml
Normal file
@ -0,0 +1,96 @@
|
||||
---
|
||||
- name: Check OpenSSH server package version and verify CVE-2024-6387 vulnerability
|
||||
hosts: all
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
vars:
|
||||
jammy_vulnerable_openssh_versions:
|
||||
- 1:8.9p1-3ubuntu0.7
|
||||
- 1:8.9p1-3ubuntu0.6
|
||||
- 1:8.9p1-3ubuntu0.5
|
||||
- 1:8.9p1-3ubuntu0.4
|
||||
- 1:8.9p1-3ubuntu0.3
|
||||
- 1:8.9p1-3ubuntu0.1
|
||||
mantic_vulnerable_openssh_versions:
|
||||
- 1:9.3p1-1ubuntu3.3
|
||||
- 1:9.3p1-1ubuntu3.2
|
||||
- 1:9.3p1-1ubuntu3.1
|
||||
- 1:9.3p1-1ubuntu3
|
||||
- 1:9.3p1-1ubuntu2
|
||||
- 1:9.3p1-1ubuntu1
|
||||
noble_vulnerable_openssh_versions:
|
||||
- 1:9.6p1-3ubuntu13
|
||||
- 1:9.6p1-3ubuntu12
|
||||
- 1:9.6p1-3ubuntu11
|
||||
- 1:9.6p1-3ubuntu10
|
||||
- 1:9.6p1-3ubuntu9
|
||||
- 1:9.6p1-3ubuntu8
|
||||
- 1:9.6p1-3ubuntu7
|
||||
- 1:9.6p1-3ubuntu6
|
||||
- 1:9.6p1-3ubuntu5
|
||||
- 1:9.6p1-3ubuntu4
|
||||
- 1:9.6p1-3ubuntu3
|
||||
- 1:9.6p1-3ubuntu2
|
||||
- 1:9.6p1-3ubuntu1
|
||||
|
||||
# bionic Not vulnerable (introduced in v8.5p1)
|
||||
# focal Not vulnerable (introduced in v8.5p1)
|
||||
# jammy Released (1:8.9p1-3ubuntu0.10)
|
||||
# mantic Released (1:9.3p1-1ubuntu3.6)
|
||||
# noble Released (1:9.6p1-3ubuntu13.3)
|
||||
# trusty Not vulnerable (introduced in v8.5p1)
|
||||
# upstream Pending (9.8p1)
|
||||
# xenial Not vulnerable (introduced in v8.5p1)
|
||||
|
||||
tasks:
|
||||
- name: "Setting default to not vulnerable"
|
||||
set_fact:
|
||||
vulnerable: false
|
||||
|
||||
- name: Gather the package facts
|
||||
ansible.builtin.package_facts:
|
||||
manager: auto
|
||||
|
||||
- name:
|
||||
set_fact:
|
||||
openssh_version: "{{ ansible_facts.packages['openssh-server'][0].version }}"
|
||||
when: "'openssh-server' in ansible_facts.packages"
|
||||
|
||||
- name: "Check whether a package is installed"
|
||||
debug:
|
||||
msg: "{{ ansible_facts.packages['openssh-server'][0].version }}"
|
||||
when: "'openssh-server' in ansible_facts.packages"
|
||||
|
||||
|
||||
- name: "Check distribution"
|
||||
debug:
|
||||
msg: "{{ ansible_distribution }} {{ ansible_distribution_release }} {{ ansible_distribution_version }}"
|
||||
|
||||
- name: "Package is vulnerable"
|
||||
debug:
|
||||
msg: "The server openssh version is vulnerable to CVE-2024-6387!!!"
|
||||
when:
|
||||
- ansible_distribution in ['Ubuntu'] # Check for Ubuntu or Debian
|
||||
- ansible_distribution_release == 'bionic'
|
||||
- openssh_version in bionic_vulnerable_openssh_versions
|
||||
|
||||
- name: "Package is vulnerable"
|
||||
set_fact:
|
||||
vulnerable: true
|
||||
when:
|
||||
- ansible_distribution in ['Ubuntu'] # Check for Ubuntu or Debian
|
||||
- ansible_distribution_release == 'jammy'
|
||||
- openssh_version in jammy_vulnerable_openssh_versions
|
||||
|
||||
- name: "Package is vulnerable"
|
||||
set_fact:
|
||||
vulnerable: true
|
||||
when:
|
||||
- ansible_distribution in ['Ubuntu'] # Check for Ubuntu or Debian
|
||||
- ansible_distribution_release == 'mantic'
|
||||
- openssh_version in matic_vulnerable_openssh_versions
|
||||
|
||||
- fail:
|
||||
msg: "The server openssh version is vulnerable to CVE-2024-6387!!!"
|
||||
when: vulnerable
|
||||
|
||||
Loading…
Reference in New Issue
Block a user