ara | File #286: /home/ssh-gateway/ansible/RM9537.yaml

RM9537.yaml: /home/ssh-gateway/ansible/RM9537.yaml

Execution

Date 08 May 2024 13:50:20 +0100

Duration 00:00:06.73

Controller ssh-gw-4.layershift.com

User root

Versions

Ansible 2.16.4

ara 1.7.1 / 1.7.2.dev2

Python 3.10.10

Summary

2 Hosts

7 Tasks

7 Results

1 Plays

1 Files

0 Records

remote_user:root check:False tags:all plesk subset:kuly-c7-uk.uk.easy-server.com security

Date
08 May 2024 13:50:20 +0100
Path
/home/ssh-gateway/ansible/RM9537.yaml

Argument	Value
version	None
verbosity	2
private_key_file	/home/ssh-gateway/.ssh/id_rsa
remote_user	root
connection	ssh
timeout	None
ssh_common_args	None
sftp_extra_args	None
scp_extra_args	None
ssh_extra_args	None
ask_pass	False
connection_password_file	None
force_handlers	False
flush_cache	False
become	False
become_method	sudo
become_user	None
become_ask_pass	False
become_password_file	None
tags	['all']
skip_tags	[]
check	False
diff	False
inventory	['/home/ssh-gateway/ansible/hosts_CTListFromObasDB']
listhosts	False
subset	kuly-c7-uk.uk.easy-server.com
extra_vars	Not saved by ARA as configured by 'ignored_arguments'
vault_ids	[]
ask_vault_pass	False
vault_password_files	[]
forks	30
module_path	None
syntax	False
listtasks	False
listtags	False
step	False
start_at_task	None
args	['RM9537.yaml']

File: /home/ssh-gateway/ansible/RM9537.yaml

---
- name: Mitigating CVE-2024-2961
  hosts: all
  gather_facts: true
  vars:
    folder: /home/ssh-gateway/ansible/playbook_output
    ara_playbook_name: RM9537.yaml
    ara_playbook_labels:
      - plesk
      - security
  tasks:
    - name: Check if gconv-modules-extra.conf exists
      ansible.builtin.stat:
        path: /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf
      register: gconv_modules_extra_exist
    - name: Check if gconv-modules exists
      ansible.builtin.stat:
        path: /usr/lib64/gconv/gconv-modules
      register: gconv_modules_exist
    - name: Match and comment out block in the configuration file
      ansible.builtin.shell: |
        set -o pipefail
        file="{{ '/usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf' if gconv_modules_extra_exist.stat.exists else '/usr/lib64/gconv/gconv-modules' }}"
        grep -n "ISO2022CNEXT//" "$file" | while read -r line; do line_number=$(echo "$line" | cut -d':' -f1); sed -i "${line_number},$((line_number + 2)) s/^/# /" "$file"; done
        rm -f /usr/lib64/gconv/gconv-modules.cache
      register: config_changes
      notify:
        - run_iconvconfig
      when: gconv_modules_extra_exist.stat.exists or gconv_modules_exist.stat.exists
    - name: Run iconv command and check for CN-EXT
      ansible.builtin.shell: |
        set -o pipefail
        iconv -l | grep -E 'CN-?EXT'
      args:
        executable: /bin/bash
      register: iconv_output
      ignore_errors: true
      changed_when: false
    - name: Write to file if the command has output
      ansible.builtin.lineinfile:
        dest: "{{ folder }}/RM9537-patched-or-not.txt"
        create: true
        mode: '0644'
        line: "{{ ansible_facts.nodename }} - NOT PATCHED"
      delegate_to: 127.0.0.1
      when: iconv_output.rc == 0
    - name: Write to file if the command has no output
      ansible.builtin.lineinfile:
        dest: "{{ folder }}/RM9537-patched-or-not.txt"
        create: true
        mode: '0644'
        line: "{{ ansible_facts.nodename }} - clean"
      delegate_to: 127.0.0.1
      when: iconv_output.rc != 0

  handlers:
    - name: Run iconvconfig
      ansible.builtin.command: iconvconfig
      when: config_changes.changed
      listen: run_iconvconfig

Playbook #286

File: /home/ssh-gateway/ansible/RM9537.yaml