Hi all,
I'm trying to run some scripts provided by Red Hat to test for select
security vulnerabilities. They're as-is from Red Hat, excluding a minor
modification so I get emailed when it finds a vulnerable system (noted in
bold/highlighted). I can run the command from the script and it works fine,
and I can run the script by hand and it works fine. However, when I try
calling it from Puppet it fails with:
Notice: /Stage[main]/patches_security::test_ghost/Exec[/tmp/ghost-test.sh]/
returns: Error: Could not execute posix command: Exec format error - /tmp/
ghost-test.sh
Error: /Stage[main]/patches_security::test_ghost/Exec[/tmp/ghost-test.sh]:
Failed to call refresh: /tmp/ghost-test.sh returned 1 instead of one of [0]
Error: /Stage[main]/patches_security::test_ghost/Exec[/tmp/ghost-test.sh]: /
tmp/ghost-test.sh returned 1 instead of one of [0]
Here's what I have in the manifest:
class patches_security::test_ghost {
file { '/tmp/ghost-test.sh':
ensure => 'present',
source =>
'puppet:///modules/patches_security/ghost-test.sh',
owner => 'root',
group => 'root',
mode => '0550',
notify => Exec['/tmp/ghost-test.sh'],
}
exec { '/tmp/ghost-test.sh':
command => '/tmp/ghost-test.sh',
subscribe => File['/tmp/ghost-test.sh'],
refreshonly => 'true',
}
}
And here's the script itself:
#!/bin/bash
#Version 3
echo "Installed glibc version(s)"
rv=0
for glibc_nvr in $( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n'
glibc ); do
glibc_ver=$( echo "$glibc_nvr" | awk -F- '{ print $2 }' )
glibc_maj=$( echo "$glibc_ver" | awk -F. '{ print $1 }')
glibc_min=$( echo "$glibc_ver" | awk -F. '{ print $2 }')
echo -n "- $glibc_nvr: "
if [ "$glibc_maj" -gt 2 -o \
\( "$glibc_maj" -eq 2 -a "$glibc_min" -ge 18 \) ]; then
# fixed upstream version
echo 'not vulnerable'
else
# all RHEL updates include CVE in rpm %changelog
if rpm -q --changelog "$glibc_nvr" | grep -q 'CVE-2015-0235'; then
echo "not vulnerable"
else
echo "vulnerable" *&& echo "$HOSTNAME is vulnerable to
CVE-2015-0235." | mailx -s "$HOSTNAME is Vulnerable to GHOST" [email protected]*
rv=1
fi
fi
done
if [ $rv -ne 0 ]; then
cat <<EOF
This system is vulnerable to CVE-2015-0235. <https:
//access.redhat.com/security/cve/CVE-2015-0235>
Please refer to <https://access.redhat.com/articles/1332213> for
remediation steps
EOF
fi
exit $rv
So, what in the world am I missing? Another totally different script is in
the same situation; the command/script work fine, but not via Puppet, so I
have to believe it's how I'm implementing it through Puppet. I'm sure it's
something minor/silly! Thanks for all the help!
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/612117ca-aaa1-4e15-b291-bf8f47540eb3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
