1 Reply Latest reply on Oct 5, 2014 12:00 AM by Peter Massa

    How can I update bash on my Linux Servers via Landesk?

    Rookie


      I have installed v9.6 of the Landesk linux agent on my linux servers.  I have never distributed anything to a linux server via landesk and would like to leverage the shellshock exploit to start doing so.  Can anyone let me know how this can be done via Landesk?

        • 1. Re: How can I update bash on my Linux Servers via Landesk?
          Peter Massa Expert

          wanman0621,

           

          For Linux patching in general you can look at:

          Linux 64bit Patching

           

          This has a method to install a specific patch or all patches.  However if you do not want to use my method above, you could use the following script and put it in a custom definition.

           

          Detection Logic -> Custom Script:

           

          #!/bin/bash

          #set -x

          reason="Yum Check-Update Ran-Vulnerable to Shell Shock - Bash Patch"

          RV=0

          hostname=`hostname`

           

          # To Test - uncomment below and enter one test device's name here - to patch all systems, re-comment out the below line.

          #if [[ $hostname == *enterhostnamehere* ]]; then

           

          # Check if vulnerable - if it is, update bash.  If not vulnerable echo Not Vulnerable and set the status as "patched".

          env x='() { :;}; yum -y update bash > /opt/landesk/vulscan-bash-patchlog.ini; RV=1' bash -c "echo Not Vulnerable; RV=0"

           

          #To Test - uncomment below fi line, to patch all systems - re-comment out the below line.

          #fi

           

          if [ $RV -eq 1 ]; then

            echo "${reason}" >&1

            echo "Yum Check-Bash Update Ran" >&2

          fi

          exit $RV

           

           

          *Please test this before doing it in production - I literally just wrote it and do not know if I missed type anything or if there is a flaw.

           

          You would then apply this patch definition to the device you desire to patch for testing via the bolded and underlined above.  After testing is completed - re-comment those lines and all of your systems should get the patch if they are vulnerable.

           

          *Note: to scope which devices get this patch - I would advise applying a query filter to the custom definition detection rules.

           

          *Note: this will patch bash to the latest version.  The current shell shock patch does not require a reboot - but if your systems are out of date, a previous bash patch may require one.

           

          Please also see: Linux - Patching Bash - Latest CVE-2014-6278

           

          Hope this helps,

          Peter