Added alma check

2024-07-07 23:09:22 +03:00 · 2024-07-07 23:09:22 +03:00 · a9ce0c5dd7
commit a9ce0c5dd7
parent 63bea35c76
1 changed files with 54 additions and 0 deletions
--- a/2024-6387/check-alma.yml
+++ b/2024-6387/check-alma.yml
@ -0,0 +1,54 @@
+---
+- name: Check OpenSSH server package version and verify CVE-2024-6387 vulnerability
+  hosts: all
+  become: yes
+  gather_facts: yes
+  vars:
+    alma9_vulnerable_openssh_versions:
+      - 8.7p1-30
+      - 8.7p1-31
+      - 8.7p1-32
+      - 8.7p1-33
+      - 8.7p1-34
+      - 8.7p1-35
+      - 8.7p1-36
+      - 8.7p1-37
+      - 8.7p1-38
+  # Alma 8 is not vulnerable (RHEL 6,7,8 also are not vulnerable)
+
+  tasks:
+    - name: "Setting default to not vulnerable"
+      set_fact:
+        vulnerable: false
+
+    - name: Gather the package facts
+      ansible.builtin.package_facts:
+        manager: auto
+
+    - name:
+      set_fact:
+        openssh_version: "{{ ansible_facts.packages['openssh-server'][0].version }}"
+      when: "'openssh-server' in ansible_facts.packages"
+
+    - name: "Check whether a package is installed"
+      debug:
+        msg: "{{ ansible_facts.packages['openssh-server'][0].version }}"
+      when: "'openssh-server' in ansible_facts.packages"
+
+
+    - name: "Check distribution"
+      debug:
+        msg: "{{ ansible_distribution }} {{ ansible_distribution_release }} {{ ansible_distribution_version }}"
+
+    - name: "Package is vulnerable"
+      debug:
+        msg: "The server openssh version is vulnerable to CVE-2024-6387!!!"
+      when: 
+        - ansible_distribution == "AlmaLinux" 
+        - ansible_distribution_major_version == "9"
+        - openssh_version in alma9_vulnerable_openssh_versions
+
+    - fail: 
+        msg: "The server openssh version is vulnerable to CVE-2024-6387!!!"
+      when: vulnerable
+