Dealing with Spectre and Meltdown using Ansible

calendar Jan 5, 2018 · 1 min read · SPECTRE MELTDOWN ANSIBLE CENTOS7  ·
Share on: linkedin copy

If we have to deal with this thing, lets do it in an intelligent way

I'm using Ansible across my infrastructure to manage most stuff so I cut a playbook to detect Spectre and Meltdown fixes in Centos7 using the articles from CyberCiti.biz

https://www.cyberciti.biz/faq/patch-spectre-vulnerability-cve-2017-5753-cve-2017-5715-linux

https://www.cyberciti.biz/faq/patch-meltdown-cpu-vulnerability-cve-2017-5754-linux/

 1- hosts: all
 2 become: yes
 3 become_user: root
 4
 5pre_tasks:
 6 - name: "Check Kernel for Meltdown patches "
 7 shell: "rpm -q --changelog kernel | egrep 'CVE-2017-5754' | wc -l"
 8 ignore_errors: true
 9 register: meltdown_patch_count
10
11- name: "Meltdown result"
12 debug: var=meltdown_patch_count.stdout
13
14- name: "Meltdown fix"
15 debug:
16 msg: "Installing meldown fix"
17 when: meltdown_patch_count.stdout=="0"
18
19- name: "Check Kernel for Spectre patches "
20 shell: "rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754' | wc -l"
21 ignore_errors: true
22 register: spectre_patch_count
23
24- name: "Spectre result"
25 debug: var=spectre_patch_count.stdout