First of all head on over to github and download a spectre-meltdown-checker that supports JSON output. Now all we need is a ansible playbook that calls that script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | - name: Run Spectre/Meltdown checker on hosts hosts: all gather_facts: false tasks: - script: tools/spectre-meltdown-checker.sh --batch json --live register: spectre_output failed_when: false - set_fact: spectre_json: "{{ spectre_output.stdout|from_json }}" - name: Output vulnerability status debug: msg: "Vulnerable to {{ item.NAME }} - {{ item.INFOS }}" with_items: "{{ spectre_json }}" failed_when: item.VULNERABLE when: item.VULNERABLE |
Important is to adjust the path to spectre-meltdown-checker.sh in the script: task (the path is relative to wherever your playboook file is). Adapt to your needs however you want. It is basically just feeding the output of the script into the from_json filter, storing it in a variable and then iterating over the result via with_items.
Example output:
(vulnerable to CVE-2017-5715 since Intel retracted their microcode updates and haven’t released new ones yet)