Add the full dependency list: unzip, gpg, dirmngr, file

Improved code with Ansible best practices Improved documentation accordingly
lucab85 · Dec 23, 2021 · 0d805aa · 0d805aa
1 parent 663208e
commit 0d805aa
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 27 deletions.
diff --git a/README.md b/README.md
@@ -16,10 +16,10 @@ Code also available as Ansible Galaxy role [lucab85.ansible_role_log4shell](http
 ansible-galaxy install lucab85.ansible_role_log4shell
 ```
 
-## How to run
+## How to run the Ansible Playbook
 
 Default variables scan all the `/var/` path for affected files.
-Customize the `vars.yml` file for more options.
+You could customize the `vars.yml` file for more options.
 
 ```bash
 ansible-playbook log4j-cve-2021-44228.yml
@@ -52,9 +52,26 @@ delete_after: false
 verify_gpg: true
 ```
 
-## demo execution
+- sh_detector: the filename of the detector bash script file
+- sh_signature: the filename of the detector GPG signature file
+- detector_baseurl: the base URL to download the previous files
+- detector_path: the path to inspect (default `/var/`)
+- detector_dir: the download path of the detector (default `detector_dir`)
+- detector_run_dir: the subdirectory to create before the run (default `tmp`)
+- detector_options: the command lines options for detector script (default `-n -d --no-progress --scan {{ detector_path }}`)
+- gpg_keyid: the GPG public key to download for the verification (default Red Hat Product Security `7514F77D8366B0D9`)
+- clean_run_before: remove the run directory and recreate before the execution - detector requires empty directory (default `true`)
+- delete_after: remove the _detector_dir_ the execution (default `false`)
+- verify_gpg: perform the GPG signature donwload and verification (default: `true`)
+
+
+## Demo execution
+
+The full output of the execution of the playbook against the RHEL8 demo target host:
 
 ```bash
+$ ansible-playbook log4j-cve-2021-44228.yml
+
 PLAY [detector for Apache Log4j (CVE-2021-44228)] ******************************
 
 TASK [Gathering Facts] *********************************************************
@@ -64,14 +81,16 @@ TASK [include_vars] ************************************************************
 ok: [demo]
 
 TASK [dependency present] ******************************************************
-ok: [demo]
+changed: [demo]
 
 TASK [create detector directory] ***********************************************
-ok: [demo]
+changed: [demo]
+
+TASK [download detector file] **************************************************
+changed: [demo]
 
-TASK [download detector file(s)] ***********************************************
-ok: [demo] => (item=cve-2021-44228--2021-12-20-1836.sh)
-ok: [demo] => (item=cve-2021-44228--2021-12-20-1836.sh.asc)
+TASK [download detector signature] *********************************************
+changed: [demo]
 
 TASK [gpg public key] **********************************************************
 changed: [demo]
@@ -80,15 +99,15 @@ TASK [gpg verify detector] *****************************************************
 changed: [demo]
 
 TASK [remove any detector run directory] ***************************************
-changed: [demo]
+ok: [demo]
 
 TASK [create detector run directory] *******************************************
 changed: [demo]
 
 TASK [run detector/scanner] ****************************************************
 changed: [demo]
 
-TASK [files in detector run directory] ************
+TASK [files in detector run directory] *****************************************
 ok: [demo]
 
 TASK [print vulnerable path(s) found] ******************************************
@@ -108,7 +127,7 @@ TASK [remove detector directory] ***********************************************
 skipping: [demo]
 
 PLAY RECAP *********************************************************************
-demo                       : ok=12   changed=5    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0   
+demo                       : ok=13   changed=8    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0   
 
 ```
 

diff --git a/log4j-cve-2021-44228.yml b/log4j-cve-2021-44228.yml
@@ -7,7 +7,11 @@
 
     - name: dependency present
       ansible.builtin.package:
-        name: unzip
+        name:
+          - unzip
+          - gpg
+          - dirmngr
+          - file
         state: present
         update_cache: true
 
@@ -16,40 +20,46 @@
         path: '{{ detector_dir }}'
         state: directory
 
-    - name: download detector file(s)
+    - name: download detector file
       ansible.builtin.get_url:
-        url: "{{ detector_baseurl }}{{ item }}"
-        dest: "{{ detector_dir }}{{ item }}"
+        url: "{{ detector_baseurl }}{{ sh_detector }}"
+        dest: "{{ detector_dir }}{{ sh_detector }}"
         mode: '0755'
         owner: root
         group: root
-      with_items:
-        - '{{ sh_detector }}'
-        - '{{ sh_signature }}'
+
+    - name: download detector signature
+      ansible.builtin.get_url:
+        url: "{{ detector_baseurl }}{{ sh_signature }}"
+        dest: "{{ detector_dir }}{{ sh_signature }}"
+        mode: '0644'
+        owner: root
+        group: root
+      when: verify_gpg
 
     - name: gpg public key
-      ansible.builtin.shell: '{{ gpg_public_key }}'
-      when: verify_gpg == true
+      ansible.builtin.command: '{{ gpg_public_key }}'
+      when: verify_gpg
 
     - name: gpg verify detector
-      ansible.builtin.shell: >
-        'gpg --verify {{ detector_dir }}{{ sh_signature }} {{ detector_dir }}{{ sh_detector }}'
-      when: verify_gpg == true
+      ansible.builtin.command: >-
+        gpg --verify {{ detector_dir }}{{ sh_signature }} {{ detector_dir }}{{ sh_detector }}
+      when: verify_gpg
 
     - name: remove any detector run directory
       ansible.builtin.file:
         path: '{{ detector_dir }}{{ detector_run_dir }}'
         state: absent
-      when: clean_run_before == true
+      when: clean_run_before
 
     - name: create detector run directory
       ansible.builtin.file:
         path: '{{ detector_dir }}{{ detector_run_dir }}'
         state: directory
 
     - name: run detector/scanner
-      ansible.builtin.shell: >
-        '{{ detector_dir }}{{ sh_detector }} {{ detector_options }} --tmp {{ detector_dir }}{{ detector_run_dir }}'
+      ansible.builtin.command: >-
+        {{ detector_dir }}{{ sh_detector }} {{ detector_options }} --tmp {{ detector_dir }}{{ detector_run_dir }}
 
     - name: files in detector run directory
       ansible.builtin.find:
@@ -64,4 +74,4 @@
       ansible.builtin.file:
         path: '{{ detector_dir }}'
         state: absent
-      when: delete_after == true
+      when: delete_after