先日、bashに脆弱性が見つかり対応する必要がありました。
Amazon Linux
- CVE-2014-6271対策 ALAS-2014-418
- CVE-2014-7169対策 ALAS-2014-419
Red Hat Enterprise Linux
- CVE-2014-6271対策 特別に作成された環境変数を使用した Bash コード挿入の脆弱性 (CVE-2014-6271)
- CVE-2014-7169対策 Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169)
CentOS
- CentOS5 CESA-2014:1306 Important CentOS 5 bash Security Update
- CentOS6 CESA-2014:1306 Important CentOS 6 bash Security Update
- CentOS7 CESA-2014:1306 Important CentOS 7 bash Security Update
対応すると言っても一言でいえばbashを更新すれば良いのですが、対象のサーバが何十台、何百台あると大変です。
いわゆる刺身タンポポな作業になります。
人生は有限です。機械に任せられるところは任せてさっさとビールでも飲みたいものです。
「機械に任せて」の部分をFabricでやってみます。
【30分で動かすシリーズ】FabricでOpenSSL祭に対応してみる と同様です。
Fabricについて、Fabricの導入については 【30分で動かすシリーズ】FabricでOpenSSL祭に対応してみる をご覧ください。
タスクを書く
対策としては「yum update bash」すればいいので、そのようなタスクを書きます。
#coding:utf-8
from fabric.api import env, run, sudo
from fabric.contrib.console import confirm
env.use_ssh_config = True
def yum_update_bash():
sudo('yum clean all', user='root', pty=True)
sudo('yum -y update bash', user='root', pty=True)
「yum clean all」して「yum update bash」します。
※サーバの再起動は不要です。
動かしてみる
今回の対象はRedhat Enterprise Linuxを使ってみます。
テストとしてAWSから提供されているRHEL6.5のAMIから2台ラウンチしておきます。
それが「bashupdate01」「bashupdate02」になります。ターミナルで「ssh bashupdate01」すると接続できる感じです。
$ fab -H bashupdate01,bashupdate02 -f ./bashupdate.py yum_update_bash [bashupdate01] Executing task 'yum_update_bash' [bashupdate01] sudo: yum clean all [bashupdate01] out: Loaded plugins: amazon-id, rhui-lb, security [bashupdate01] out: Cleaning repos: rhui-REGION-client-config-server-6 rhui-REGION-rhel-server-releases rhui-REGION-rhel-server-releases-optional [bashupdate01] out: : rhui-REGION-rhel-server-rh-common rhui-REGION-rhel-server-rhscl [bashupdate01] out: Cleaning up Everything [bashupdate01] out: [bashupdate01] sudo: yum -y update bash [bashupdate01] out: Loaded plugins: amazon-id, rhui-lb, security [bashupdate01] out: [bashupdate01] out: rhui-REGION-client-config-server-6 | 2.9 kB 00:00 [bashupdate01] out: [bashupdate01] out: rhui-REGION-client-config-server-6/primary_db | 4.0 kB 00:00 [bashupdate01] out: [bashupdate01] out: rhui-REGION-rhel-server-releases | 3.7 kB 00:00 [bashupdate01] out: rhui-REGION-rhel-server-releases/primary_db 27% [========== ] 0.0 B/s | 7.7 MB --:-- ETA [bashupdate01] out: rhui-REGION-rhel-server-releases/primary_db 49% [==================- ] 9.9 MB/s | 14 MB 00:01 ETA [bashupdate01] out: rhui-REGION-rhel-server-releases/primary_db 70% [==========================- ] 10 MB/s | 20 MB 00:00 ETA [bashupdate01] out: rhui-REGION-rhel-server-releases/primary_db 91% [==================================- ] 11 MB/s | 26 MB 00:00 ETA [bashupdate01] out: [bashupdate01] out: rhui-REGION-rhel-server-releases/primary_db | 28 MB 00:01 [bashupdate01] out: [bashupdate01] out: rhui-REGION-rhel-server-releases-optional | 3.5 kB 00:00 [bashupdate01] out: [bashupdate01] out: rhui-REGION-rhel-server-releases-optional/primary_db | 2.8 MB 00:00 [bashupdate01] out: [bashupdate01] out: rhui-REGION-rhel-server-rh-common | 2.9 kB 00:00 [bashupdate01] out: [bashupdate01] out: rhui-REGION-rhel-server-rh-common/primary_db | 33 kB 00:00 [bashupdate01] out: [bashupdate01] out: rhui-REGION-rhel-server-rhscl | 3.1 kB 00:00 [bashupdate01] out: [bashupdate01] out: rhui-REGION-rhel-server-rhscl/primary_db | 584 kB 00:00 [bashupdate01] out: Setting up Update Process [bashupdate01] out: Resolving Dependencies [bashupdate01] out: --> Running transaction check [bashupdate01] out: ---> Package bash.x86_64 0:4.1.2-15.el6_4 will be updated [bashupdate01] out: ---> Package bash.x86_64 0:4.1.2-15.el6_5.2 will be an update [bashupdate01] out: --> Finished Dependency Resolution [bashupdate01] out: [bashupdate01] out: Dependencies Resolved [bashupdate01] out: [bashupdate01] out: ============================================================================================================================== [bashupdate01] out: Package Arch Version Repository Size [bashupdate01] out: ============================================================================================================================== [bashupdate01] out: Updating: [bashupdate01] out: bash x86_64 4.1.2-15.el6_5.2 rhui-REGION-rhel-server-releases 905 k [bashupdate01] out: [bashupdate01] out: Transaction Summary [bashupdate01] out: ============================================================================================================================== [bashupdate01] out: Upgrade 1 Package(s) [bashupdate01] out: [bashupdate01] out: Total download size: 905 k [bashupdate01] out: Downloading Packages: [bashupdate01] out: [bashupdate01] out: bash-4.1.2-15.el6_5.2.x86_64.rpm | 905 kB 00:00 [bashupdate01] out: Running rpm_check_debug [bashupdate01] out: Running Transaction Test [bashupdate01] out: Transaction Test Succeeded [bashupdate01] out: Running Transaction [bashupdate01] out: [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [# ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [#### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [###### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [####### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [######### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [########## ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############ ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############# ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################ ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################## ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [#################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [##################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [###################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [######################## ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [######################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [########################## ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [########################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############################# ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############################## ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################ ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################# ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################## ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [#################################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [##################################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [###################################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [####################################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [######################################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [########################################## ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [########################################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############################################# ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############################################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################################ ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################################# ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [##################################################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [###################################################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [####################################################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [######################################################## ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [######################################################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [########################################################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############################################################ ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############################################################## ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############################################################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################################################ ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################################################## ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################################################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [#################################################################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [##################################################################### ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [######################################################################## ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [########################################################################## ] 1/2 [bashupdate01] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 1/2 [bashupdate01] out: [bashupdate01] out: Cleanup : bash-4.1.2-15.el6_4.x86_64 2/2 [bashupdate01] out: [bashupdate01] out: Verifying : bash-4.1.2-15.el6_5.2.x86_64 1/2 [bashupdate01] out: [bashupdate01] out: Verifying : bash-4.1.2-15.el6_4.x86_64 2/2 [bashupdate01] out: [bashupdate01] out: Updated: [bashupdate01] out: bash.x86_64 0:4.1.2-15.el6_5.2 [bashupdate01] out: [bashupdate01] out: Complete! [bashupdate01] out: [bashupdate02] Executing task 'yum_update_bash' [bashupdate02] sudo: yum clean all [bashupdate02] out: Loaded plugins: amazon-id, rhui-lb, security [bashupdate02] out: Cleaning repos: rhui-REGION-client-config-server-6 rhui-REGION-rhel-server-releases rhui-REGION-rhel-server-releases-optional [bashupdate02] out: : rhui-REGION-rhel-server-rh-common rhui-REGION-rhel-server-rhscl [bashupdate02] out: Cleaning up Everything [bashupdate02] out: [bashupdate02] sudo: yum -y update bash [bashupdate02] out: Loaded plugins: amazon-id, rhui-lb, security [bashupdate02] out: [bashupdate02] out: rhui-REGION-client-config-server-6 | 2.9 kB 00:00 [bashupdate02] out: [bashupdate02] out: rhui-REGION-client-config-server-6/primary_db | 4.0 kB 00:00 [bashupdate02] out: [bashupdate02] out: rhui-REGION-rhel-server-releases | 3.7 kB 00:00 [bashupdate02] out: rhui-REGION-rhel-server-releases/primary_db 14% [=====- ] 0.0 B/s | 4.1 MB --:-- ETA [bashupdate02] out: rhui-REGION-rhel-server-releases/primary_db 32% [============ ] 8.0 MB/s | 9.0 MB 00:02 ETA [bashupdate02] out: rhui-REGION-rhel-server-releases/primary_db 49% [==================- ] 8.5 MB/s | 14 MB 00:01 ETA [bashupdate02] out: rhui-REGION-rhel-server-releases/primary_db 66% [========================= ] 8.9 MB/s | 19 MB 00:01 ETA [bashupdate02] out: rhui-REGION-rhel-server-releases/primary_db 80% [============================== ] 9.1 MB/s | 22 MB 00:00 ETA [bashupdate02] out: rhui-REGION-rhel-server-releases/primary_db 97% [===================================== ] 9.6 MB/s | 27 MB 00:00 ETA [bashupdate02] out: [bashupdate02] out: rhui-REGION-rhel-server-releases/primary_db | 28 MB 00:02 [bashupdate02] out: [bashupdate02] out: rhui-REGION-rhel-server-releases-optional | 3.5 kB 00:00 [bashupdate02] out: [bashupdate02] out: rhui-REGION-rhel-server-releases-optional/primary_db | 2.8 MB 00:00 [bashupdate02] out: [bashupdate02] out: rhui-REGION-rhel-server-rh-common | 2.9 kB 00:00 [bashupdate02] out: [bashupdate02] out: rhui-REGION-rhel-server-rh-common/primary_db | 33 kB 00:00 [bashupdate02] out: [bashupdate02] out: rhui-REGION-rhel-server-rhscl | 3.1 kB 00:00 [bashupdate02] out: [bashupdate02] out: rhui-REGION-rhel-server-rhscl/primary_db | 584 kB 00:00 [bashupdate02] out: Setting up Update Process [bashupdate02] out: Resolving Dependencies [bashupdate02] out: --> Running transaction check [bashupdate02] out: ---> Package bash.x86_64 0:4.1.2-15.el6_4 will be updated [bashupdate02] out: ---> Package bash.x86_64 0:4.1.2-15.el6_5.2 will be an update [bashupdate02] out: --> Finished Dependency Resolution [bashupdate02] out: [bashupdate02] out: Dependencies Resolved [bashupdate02] out: [bashupdate02] out: ============================================================================================================================== [bashupdate02] out: Package Arch Version Repository Size [bashupdate02] out: ============================================================================================================================== [bashupdate02] out: Updating: [bashupdate02] out: bash x86_64 4.1.2-15.el6_5.2 rhui-REGION-rhel-server-releases 905 k [bashupdate02] out: [bashupdate02] out: Transaction Summary [bashupdate02] out: ============================================================================================================================== [bashupdate02] out: Upgrade 1 Package(s) [bashupdate02] out: [bashupdate02] out: Total download size: 905 k [bashupdate02] out: Downloading Packages: [bashupdate02] out: [bashupdate02] out: bash-4.1.2-15.el6_5.2.x86_64.rpm | 905 kB 00:00 [bashupdate02] out: Running rpm_check_debug [bashupdate02] out: Running Transaction Test [bashupdate02] out: Transaction Test Succeeded [bashupdate02] out: Running Transaction [bashupdate02] out: [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [# ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [#### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [###### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [####### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [######### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [########## ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############ ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############# ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################ ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################## ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [#################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [##################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [###################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [######################## ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [######################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [########################## ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [########################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############################# ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############################## ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################ ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################# ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################## ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [#################################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [##################################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [###################################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [####################################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [######################################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [########################################## ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [########################################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############################################# ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############################################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################################ ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################################# ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [##################################################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [###################################################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [####################################################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [######################################################## ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [######################################################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [########################################################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############################################################ ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############################################################## ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [############################################################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################################################ ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################################################## ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [################################################################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [#################################################################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [##################################################################### ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [######################################################################## ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 [########################################################################## ] 1/2 [bashupdate02] out: Updating : bash-4.1.2-15.el6_5.2.x86_64 1/2 [bashupdate02] out: [bashupdate02] out: Cleanup : bash-4.1.2-15.el6_4.x86_64 2/2 [bashupdate02] out: [bashupdate02] out: Verifying : bash-4.1.2-15.el6_5.2.x86_64 1/2 [bashupdate02] out: [bashupdate02] out: Verifying : bash-4.1.2-15.el6_4.x86_64 2/2 [bashupdate02] out: [bashupdate02] out: Updated: [bashupdate02] out: bash.x86_64 0:4.1.2-15.el6_5.2 [bashupdate02] out: [bashupdate02] out: Complete! [bashupdate02] out: Done. Disconnecting from ec2-user@54.64.115.XXX... done. Disconnecting from ec2-user@54.64.68.XXX... done.
実行時間は1〜2分ほどでした。手動でやるとどのくらいかかるでしょう。
まとめ
このくらいならFabricでさくっとやっちゃいましょう。
