Skip to content

lucab85/ansible-role-log4shell

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
.github
.github
 
 
defaults
defaults
 
 
meta
meta
 
 
molecule/default
molecule/default
 
 
tasks
tasks
 
 
vars
vars
 
 
.ansible-lint
.ansible-lint
 
 
.yamllint
.yamllint
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

lucab85.ansible_role_log4shell

CI Release

Ansible role to scan target Linux hosts using the official Red Hat Log4j detector script RHSB-2021-009 for Log4Shell (CVE-2021-44228).

Tested with Red Hat version 1.3 detector 2022-01-10.

Ansible Playbook

Code also available as Ansible Playbook lucab85/log4j-cve-2021-44228

Requirements

ansible 2.9+

Role Variables

The default variable values - defaults/main.yml:

sh_detector: "cve-2021-44228--2022-01-10-1242.sh"
sh_signature: 'cve-2021-44228--2022-01-10-1242.sh.asc'
detector_baseurl: 'https://access.redhat.com/sites/default/files/'
detector_path: "/var/"
detector_dir: "/opt/cve-2021-44228/"
detector_run_dir: 'tmp'
detector_options: '-n -d --no-progress --scan {{ detector_path }}'
gpg_keyid: '7514F77D8366B0D9'
gpg_server: "pgp.mit.edu"
clean_run_before: true
delete_after: true
verify_gpg: false
  • sh_detector: the filename of the detector bash script file
  • sh_signature: the filename of the detector GPG signature file
  • detector_baseurl: the base URL to download the previous files
  • detector_path: the path to inspect (default /var/)
  • detector_dir: the download path of the detector (default detector_dir - /opt/cve-2021-44228/) Note: volume requires exec permission!
  • detector_run_dir: the subdirectory to create before the run (default tmp)
  • detector_options: the command lines options for detector script (default -n -d --no-progress --scan {{ detector_path }})
  • gpg_keyid: the GPG public key to download for the verification (default Red Hat Product Security 7514F77D8366B0D9)
  • gpg_server: the GPG server where to download the GPG public key (default pgp.mit.edu)
  • clean_run_before: remove the run directory and recreate before the execution - detector requires an empty directory (default true)
  • delete_after: remove the detector_dir after the execution (default false)
  • verify_gpg: perform the GPG signature download and verification (default: false)

Dependencies

None.

Download

First download the latest version of Ansible role lucab85.ansible_role_log4shell Ansible Galaxy:

ansible-galaxy install lucab85.ansible_role_log4shell

Example Playbook

This is an example of how to use the lucab85.ansible_role_log4shell role (with variables passed in as parameters):

---
- name: run detector
  hosts: all
  become: true
  roles:
    - role: lucab85.ansible_role_log4shell
      detector_path: "/var/www"

License

MIT / BSD

Author Information

This role was created in 2021 by Luca Berton, author of Ansible Pilot.

Ansible Pilot

More information:

Donate

Thank you for supporting me:

About

Ansible playbook to verify target Linux hosts using the official Red Hat Log4j detector script RHSB-2021-009 for Log4Shell (CVE-2021-44228).

www.ansiblepilot.com/articles/vulnerability-scanner-detector-log4shell-remote-code-execution-log4j-cve-2021-44228-ansible-log4j-cve-2021-44228/

Topics

security log4j devsecops cve-2021-44228 log4shell

Resources

Readme

License

MIT license
Activity

Stars

4 stars

Watchers

3 watching

Forks

4 forks
Report repository

Releases 9

Updated detector script 1.3 Latest
Jan 10, 2022
+ 8 releases

Sponsor this project

  •  
Learn more about GitHub Sponsors

Packages

No packages published