How we Patch OpenSSL Vulnerabilities

As a systems administrator part of my job is to ensure the security of many servers, and the services that run on them.

Occasionally the maintainers of various open source software packages find a vulnerability, for which they’ll provide a patch. You may recall a vulnerability nick-named “Heart Bleed” discovered last year that affected nearly every server connected to the internet. It’s easy to upgrade the operating system and programs on a single computer, but when you manage dozens, or hundreds of servers in diverse geographical locations, it’s a bit trickier, to say the least. Enter Ansible.

What is Ansible?

Ansible is an open source “configuration management tool”. It essentially allows you to describe the desired state of a server, or group of servers, and to push that configuration to each of them. With Ansible, you can deploy large, complex hosting infrastructures, or just update a package. Ansible is very flexible.

How is Ansible Used?

If you are using Ansible to deploy a complex configuration, you will want to save that configuration in a file (called a playbook), but Ansible also supports a quick way to push small configurations to multiple servers called ad hoc commands. I often use ad hoc commands to update a package that has a new version/patch available.

For example, if we wanted to update the openssl package on an ubuntu server, we would use this ad hoc command:

ansible -i hosts all -u root -m apt -a “name=openssl state=latest update_cache=yes”

Allow me to explain the options that are used in this command:

-i hosts This tells Ansible which inventory file to use. An inventory file contains a list of servers that the action should be applied to. By default, Ansible looks in /etc/ansible/hosts, but you can specify which file to use with -i.

-u root This option allows us to specify which user to run the commands as.

-m apt specifies which Ansible module to use. Ansible has many modules that can do all kinds of things. In this example, we are using the apt module, which is the Debian package manager.

-a This one stands for “arguments”. These are the arguments that we want to pass to the apt module. In this case, we are telling the module to update the repository cache so we have the latest listing of packages, then ensure that the openssl package is the latest available version.

Conclusion

With a single command, we can update any number of servers in this manner. It saves time and increases consistency across a large number of servers.

If you manage any number of linux servers and you aren’t using Ansible, you are missing out.