oscarmlage oscarmlage

Bash shellshock bug update: loving Fabric

Written by oscarmlage on

When you wake up in the morning with a new like the bash shellshock bug you should get away your lazy part and update all your servers to new patched version. This is ssh every single server, check the vulnerability, update the package, check again that all is ok and move on to next host.

If you have tons of servers the task becomes tedious. To get a bit of fun you can choose to develop a Fabric module that makes the job instead of you. The fun:

def make_me_a_bashandwich():
    puts(red('Checking bash vulnerability'))
    out = sudo("env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'")
    if "vulnerable" in out:
        puts(red('Vulnerable'))
        puts(red('Updating bash'))
        sudo('apt-get update')
        sudo('apt-get install --only-upgrade %s' % package)
    else:
        puts(green('OK'))

Your only job is to run that piece of code in all your servers and take a deep look to the screen:

$ fab -H server1,server2,server3 -u root make_me_a_bashandwich

In my humble opinion, it's more fun than the old way, isn't it?

Image credit: Robert GrahamTwitter.