

Shocktrooper: mass server patching for shellshock - knave
https://github.com/EvanK/shocktrooper

======
Dylan16807
I don't really understand the point of this. Aren't there already simple tools
that take a list of server credentials and run the same command on all of
them? (I could understand if it was made for fun but the FAQ says it's "out of
necessity" and patching multiple distros can be a "nightmare". How? Just
attempt to execute apt and yum everywhere.)

Though maybe I'm just disappointed that it doesn't log in via shellshock as I
hoped from the title.

~~~
bshimmin
For those wondering, "What simple tools take a list of server credentials and
run the same command on all of them?", Fabric is a great one:
[http://www.fabfile.org/en/latest/](http://www.fabfile.org/en/latest/)

~~~
sandstrom
Fabric is a great suggestion! Here is a small fabfile as an example.

It's super-simple (wrote it for this answer), but should be less than 5 min if
anyone need something quick.

    
    
        from fabric.api import *
    
        # Fabric
        #
        # Simple tool to execute commands on multiple machines.
        # Use for easier, ad-hoc changes, such as package updates.
        #
        # http://docs.fabfile.org
        #
        # Installation on OS X
        # `brew update && brew install python && pip install fabric`
    
        # use local ssh config
        env.use_ssh_config = True
    
        # Hard-coding host IPs is not ideal! There are better ways:
        # http://docs.fabfile.org/en/latest/usage/execution.html#defining-host-lists
        all_nodes = [
          '10.10.10.1',
          '10.10.10.2',
        ]
    
        # print uptime
        # usage: `fab uptime`
        @hosts(all_nodes)
        def uptime():
          run('uptime')
    
        # install package via apt
        # usage: `fab install_package:my-package-name`
        @hosts(all_nodes)
        def install_package(package):
          run('sudo apt-get update && sudo apt-get install {name}'.format(name=package))
    
        # check package version
        # usage: `fab package_version:my-package-name`
        @hosts(all_nodes)
        def package_version(package):
          run('dpkg -s {name} | grep Version'.format(name=package))

------
nodesocket
Shameless plug: [https://commando.io](https://commando.io) provides a great
way to run commands on groups of servers via SSH and a web interface for
patching shellshock. We also store the result of stdout and stderr and who
executed the commands for a complete audit trail.

See the following tweet:
[https://twitter.com/alexandermensa/status/514811145887027201](https://twitter.com/alexandermensa/status/514811145887027201)

------
0x0
I gotta say, if this is what you have to resort to for one single security
advisory, I'm scared to think how the remaining ~weekly advisories are
handled.

------
all_usernames
ansible main -a "sudo apt-get update; apt-get install --upgrade-only bash"

~~~
IbJacked
That should be "\--only-upgrade", but ya, that's what I did.

------
Syncronous
So... instead of connecting to all my servers securely and 'yum update
bash'ing I can download this script that I don't trust, configure it with all
my super secret passwords and let it run riot.

------
sarciszewski
Neat project. ;)

