Shellshock patching with Chef


#1

I’m looking to see if there’s a good way to help manage patching of
vulnerabilities with Chef. This Shellshock one seems to be a great example
of why Chef would be a helpful tool for the job, since it’s just a package
in need of upgrading (bash).

My question is, what’s the best way in Chef to say “for this distribution
and release, ensure that this package is at least at version X” without
potentially downgrading the package down the road? I want to set a minimum
bar, but I don’t wan’t to permanently pin the version.

Thoughts? Thanks!


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS


#2

yo,

On Tue, Sep 30, 2014 at 11:23 AM, Morgan Blackthorne
stormerider@gmail.com wrote:

I’m looking to see if there’s a good way to help manage patching of
vulnerabilities with Chef. This Shellshock one seems to be a great example
of why Chef would be a helpful tool for the job, since it’s just a package
in need of upgrading (bash).

My question is, what’s the best way in Chef to say “for this distribution
and release, ensure that this package is at least at version X” without
potentially downgrading the package down the road? I want to set a minimum
bar, but I don’t wan’t to permanently pin the version.

I like pushing sec packages into a signed internal repository. Always
roll to latest. Makes the chef code simple®, especially for managing
multiple edges.

Some providers support pessimistic version specifications (~>). They
may be of use.

–aj

Thoughts? Thanks!


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS


#3

We have our own mirror for ubuntu, but we don’t force the latest version. I
don’t think we have RHEL or OL or Debian mirrors at the moment, though.

Forcing the latest version might just be the simplest way to resolve it.


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS

On Mon, Sep 29, 2014 at 3:26 PM, AJ Christensen <aj@junglistheavy.industries

wrote:

yo,

On Tue, Sep 30, 2014 at 11:23 AM, Morgan Blackthorne
stormerider@gmail.com wrote:

I’m looking to see if there’s a good way to help manage patching of
vulnerabilities with Chef. This Shellshock one seems to be a great
example
of why Chef would be a helpful tool for the job, since it’s just a
package
in need of upgrading (bash).

My question is, what’s the best way in Chef to say “for this distribution
and release, ensure that this package is at least at version X” without
potentially downgrading the package down the road? I want to set a
minimum
bar, but I don’t wan’t to permanently pin the version.

I like pushing sec packages into a signed internal repository. Always
roll to latest. Makes the chef code simple®, especially for managing
multiple edges.

Some providers support pessimistic version specifications (~>). They
may be of use.

–aj

Thoughts? Thanks!


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS


#4

Depending on your tolerance for automatic security upgrades, on ubuntu
and debian you could use
https://supermarket.getchef.com/cookbooks/unattended-upgrades

On Mon, Sep 29, 2014 at 5:32 PM, Morgan Blackthorne
stormerider@gmail.com wrote:

We have our own mirror for ubuntu, but we don’t force the latest version. I
don’t think we have RHEL or OL or Debian mirrors at the moment, though.

Forcing the latest version might just be the simplest way to resolve it.


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS

On Mon, Sep 29, 2014 at 3:26 PM, AJ Christensen
aj@junglistheavy.industries wrote:

yo,

On Tue, Sep 30, 2014 at 11:23 AM, Morgan Blackthorne
stormerider@gmail.com wrote:

I’m looking to see if there’s a good way to help manage patching of
vulnerabilities with Chef. This Shellshock one seems to be a great
example
of why Chef would be a helpful tool for the job, since it’s just a
package
in need of upgrading (bash).

My question is, what’s the best way in Chef to say “for this
distribution
and release, ensure that this package is at least at version X” without
potentially downgrading the package down the road? I want to set a
minimum
bar, but I don’t wan’t to permanently pin the version.

I like pushing sec packages into a signed internal repository. Always
roll to latest. Makes the chef code simple®, especially for managing
multiple edges.

Some providers support pessimistic version specifications (~>). They
may be of use.

–aj

Thoughts? Thanks!


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS


Brian Pitts
Web Operations Engineer


#5

On Tue, Sep 30, 2014 at 11:39 AM, Brian Pitts
brian.pitts@lonelyplanet.com wrote:

Depending on your tolerance for automatic security upgrades, on ubuntu
and debian you could use
https://supermarket.getchef.com/cookbooks/unattended-upgrades

If you use unattended upgrades for Debian family be sure to schedule
automatic removal of old packages (or do it often) and be careful with
kernel upgrades as well!

–aj

On Mon, Sep 29, 2014 at 5:32 PM, Morgan Blackthorne
stormerider@gmail.com wrote:

We have our own mirror for ubuntu, but we don’t force the latest version. I
don’t think we have RHEL or OL or Debian mirrors at the moment, though.

Forcing the latest version might just be the simplest way to resolve it.


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS

On Mon, Sep 29, 2014 at 3:26 PM, AJ Christensen
aj@junglistheavy.industries wrote:

yo,

On Tue, Sep 30, 2014 at 11:23 AM, Morgan Blackthorne
stormerider@gmail.com wrote:

I’m looking to see if there’s a good way to help manage patching of
vulnerabilities with Chef. This Shellshock one seems to be a great
example
of why Chef would be a helpful tool for the job, since it’s just a
package
in need of upgrading (bash).

My question is, what’s the best way in Chef to say “for this
distribution
and release, ensure that this package is at least at version X” without
potentially downgrading the package down the road? I want to set a
minimum
bar, but I don’t wan’t to permanently pin the version.

I like pushing sec packages into a signed internal repository. Always
roll to latest. Makes the chef code simple®, especially for managing
multiple edges.

Some providers support pessimistic version specifications (~>). They
may be of use.

–aj

Thoughts? Thanks!


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS


Brian Pitts
Web Operations Engineer


#6

I’d rather have a bit more control, and that doesn’t help for our RH family
boxen.


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS

On Mon, Sep 29, 2014 at 3:39 PM, Brian Pitts brian.pitts@lonelyplanet.com
wrote:

Depending on your tolerance for automatic security upgrades, on ubuntu
and debian you could use
https://supermarket.getchef.com/cookbooks/unattended-upgrades

On Mon, Sep 29, 2014 at 5:32 PM, Morgan Blackthorne
stormerider@gmail.com wrote:

We have our own mirror for ubuntu, but we don’t force the latest
version. I
don’t think we have RHEL or OL or Debian mirrors at the moment, though.

Forcing the latest version might just be the simplest way to resolve it.


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS

On Mon, Sep 29, 2014 at 3:26 PM, AJ Christensen
aj@junglistheavy.industries wrote:

yo,

On Tue, Sep 30, 2014 at 11:23 AM, Morgan Blackthorne
stormerider@gmail.com wrote:

I’m looking to see if there’s a good way to help manage patching of
vulnerabilities with Chef. This Shellshock one seems to be a great
example
of why Chef would be a helpful tool for the job, since it’s just a
package
in need of upgrading (bash).

My question is, what’s the best way in Chef to say "for this
distribution
and release, ensure that this package is at least at version X"
without

potentially downgrading the package down the road? I want to set a
minimum
bar, but I don’t wan’t to permanently pin the version.

I like pushing sec packages into a signed internal repository. Always
roll to latest. Makes the chef code simple®, especially for managing
multiple edges.

Some providers support pessimistic version specifications (~>). They
may be of use.

–aj

Thoughts? Thanks!


~~ StormeRider ~~

"Every world needs its heroes […] They inspire us to be better than
we

are. And they protect from the darkness that’s just around the
corner."

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS


Brian Pitts
Web Operations Engineer


#7

The first thing that came to my mind was to have a mix between attributes
used as “configuration drivers” and straight commands. Afaict you will have
a broad range of control but in can quickly become cumbersome so be wary of
this.

Note that I’m pretty much new to Chef. I’m sure other more experienced
members of the community will pop over with a better solution.
On 29 Sep 2014 23:48, “Morgan Blackthorne” stormerider@gmail.com wrote:

I’d rather have a bit more control, and that doesn’t help for our RH
family boxen.


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS

On Mon, Sep 29, 2014 at 3:39 PM, Brian Pitts <brian.pitts@lonelyplanet.com

wrote:

Depending on your tolerance for automatic security upgrades, on ubuntu
and debian you could use
https://supermarket.getchef.com/cookbooks/unattended-upgrades

On Mon, Sep 29, 2014 at 5:32 PM, Morgan Blackthorne
stormerider@gmail.com wrote:

We have our own mirror for ubuntu, but we don’t force the latest
version. I
don’t think we have RHEL or OL or Debian mirrors at the moment, though.

Forcing the latest version might just be the simplest way to resolve it.


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS

On Mon, Sep 29, 2014 at 3:26 PM, AJ Christensen
aj@junglistheavy.industries wrote:

yo,

On Tue, Sep 30, 2014 at 11:23 AM, Morgan Blackthorne
stormerider@gmail.com wrote:

I’m looking to see if there’s a good way to help manage patching of
vulnerabilities with Chef. This Shellshock one seems to be a great
example
of why Chef would be a helpful tool for the job, since it’s just a
package
in need of upgrading (bash).

My question is, what’s the best way in Chef to say "for this
distribution
and release, ensure that this package is at least at version X"
without

potentially downgrading the package down the road? I want to set a
minimum
bar, but I don’t wan’t to permanently pin the version.

I like pushing sec packages into a signed internal repository. Always
roll to latest. Makes the chef code simple®, especially for managing
multiple edges.

Some providers support pessimistic version specifications (~>). They
may be of use.

–aj

Thoughts? Thanks!


~~ StormeRider ~~

"Every world needs its heroes […] They inspire us to be better
than we

are. And they protect from the darkness that’s just around the
corner."

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS


Brian Pitts
Web Operations Engineer


#8

Morgan,

I can’t speak to RH distros, but we (Union Metrics) are an Ubuntu shop. I
put together some logic that only updates the bash package if the package
version for that OS release is lower than the version detailed in the USN.
This gist shows the whole rundown - hopefully it’s useful to you and anyone
else trying to figure out how to deal with updating these packages
gracefully: https://gist.github.com/davidgiesberg/aa7116611737edee31e0

-David Giesberg

On Mon, Sep 29, 2014 at 5:48 PM, Morgan Blackthorne stormerider@gmail.com
wrote:

I’d rather have a bit more control, and that doesn’t help for our RH
family boxen.


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS

On Mon, Sep 29, 2014 at 3:39 PM, Brian Pitts <brian.pitts@lonelyplanet.com

wrote:

Depending on your tolerance for automatic security upgrades, on ubuntu
and debian you could use
https://supermarket.getchef.com/cookbooks/unattended-upgrades

On Mon, Sep 29, 2014 at 5:32 PM, Morgan Blackthorne
stormerider@gmail.com wrote:

We have our own mirror for ubuntu, but we don’t force the latest
version. I
don’t think we have RHEL or OL or Debian mirrors at the moment, though.

Forcing the latest version might just be the simplest way to resolve it.


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS

On Mon, Sep 29, 2014 at 3:26 PM, AJ Christensen
aj@junglistheavy.industries wrote:

yo,

On Tue, Sep 30, 2014 at 11:23 AM, Morgan Blackthorne
stormerider@gmail.com wrote:

I’m looking to see if there’s a good way to help manage patching of
vulnerabilities with Chef. This Shellshock one seems to be a great
example
of why Chef would be a helpful tool for the job, since it’s just a
package
in need of upgrading (bash).

My question is, what’s the best way in Chef to say "for this
distribution
and release, ensure that this package is at least at version X"
without

potentially downgrading the package down the road? I want to set a
minimum
bar, but I don’t wan’t to permanently pin the version.

I like pushing sec packages into a signed internal repository. Always
roll to latest. Makes the chef code simple®, especially for managing
multiple edges.

Some providers support pessimistic version specifications (~>). They
may be of use.

–aj

Thoughts? Thanks!


~~ StormeRider ~~

"Every world needs its heroes […] They inspire us to be better
than we

are. And they protect from the darkness that’s just around the
corner."

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS


Brian Pitts
Web Operations Engineer


#9

Thanks, that looks great!


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS

On Tue, Sep 30, 2014 at 8:05 AM, David Giesberg david@davidgiesberg.net
wrote:

Morgan,

I can’t speak to RH distros, but we (Union Metrics) are an Ubuntu shop. I
put together some logic that only updates the bash package if the package
version for that OS release is lower than the version detailed in the USN.
This gist shows the whole rundown - hopefully it’s useful to you and anyone
else trying to figure out how to deal with updating these packages
gracefully: https://gist.github.com/davidgiesberg/aa7116611737edee31e0

-David Giesberg

On Mon, Sep 29, 2014 at 5:48 PM, Morgan Blackthorne <stormerider@gmail.com

wrote:

I’d rather have a bit more control, and that doesn’t help for our RH
family boxen.


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS

On Mon, Sep 29, 2014 at 3:39 PM, Brian Pitts <
brian.pitts@lonelyplanet.com> wrote:

Depending on your tolerance for automatic security upgrades, on ubuntu
and debian you could use
https://supermarket.getchef.com/cookbooks/unattended-upgrades

On Mon, Sep 29, 2014 at 5:32 PM, Morgan Blackthorne
stormerider@gmail.com wrote:

We have our own mirror for ubuntu, but we don’t force the latest
version. I
don’t think we have RHEL or OL or Debian mirrors at the moment, though.

Forcing the latest version might just be the simplest way to resolve
it.


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than
we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS

On Mon, Sep 29, 2014 at 3:26 PM, AJ Christensen
aj@junglistheavy.industries wrote:

yo,

On Tue, Sep 30, 2014 at 11:23 AM, Morgan Blackthorne
stormerider@gmail.com wrote:

I’m looking to see if there’s a good way to help manage patching of
vulnerabilities with Chef. This Shellshock one seems to be a great
example
of why Chef would be a helpful tool for the job, since it’s just a
package
in need of upgrading (bash).

My question is, what’s the best way in Chef to say "for this
distribution
and release, ensure that this package is at least at version X"
without

potentially downgrading the package down the road? I want to set a
minimum
bar, but I don’t wan’t to permanently pin the version.

I like pushing sec packages into a signed internal repository. Always
roll to latest. Makes the chef code simple®, especially for managing
multiple edges.

Some providers support pessimistic version specifications (~>). They
may be of use.

–aj

Thoughts? Thanks!


~~ StormeRider ~~

"Every world needs its heroes […] They inspire us to be better
than we

are. And they protect from the darkness that’s just around the
corner."

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS


Brian Pitts
Web Operations Engineer