Fabric script to squash the nasty bash shellshock bug

This fabric script should test for CVE-2014-6278, CVE-2014-6271, CVE-2014-7186 and CVE-2014-7187.

There is a redhat and centos directory. Each one contains a gpg signed version of bash for the respective distro. The script will push the file to the server and do a yum localinstall on it. Once installed a second test run is made to verify that the vulnerabilities have been patched. Once done then the rpm will be removed.

Create a ~/.fabricrc file in your home directory that looks like the following:

user = ssh_user

Then run the fab command with the options that you need. See the examples below.

• -I: This prompts for your sudo password
• --hide commands: This keeps the output sane
• -H: Host or list of hosts separated by commas

The script will prompt for 2 or 3 items:

• A filename with a list of hosts to hit (one name per line) if the 'hostlist' option is used
• Your password

In this instance the filename "staging" was used with only one file in it.

fab hostlist bash_updater -I --hide commands
Initial value for env.password: 
Host list name: staging
[<hostname>] Red Hat Enterprise Linux Server release 5.6 (Tikanga)
[<hostname>] OK test_cve_2014_6278 
[<hostname>] OK test_cve_2014_6271 
[<hostname>] OK test_cve_2014_7186 
[<hostname>] OK test_cve_2014_7187 

Done.
Disconnecting from <hostname>... done.

It is possible to specify one host or a list at the command line with the -H option and not using "hostlist". For example:

fab -H <hostname> -I --hide commands

Use fab --list or fab -l.

$ fab --list
Available commands:

    bash_updater
    get_distro_version
    hostlist