meltdown – Ryan Schulze

How to use ansible to scan for Spectre/Meltdown vulnerable hosts

February 1, 2018April 1, 2022Ryanmeltdown, spectre

First of all head on over to github and download a spectre-meltdown-checker that supports JSON output. Now all we need is a ansible playbook that calls that script:

- name: Run Spectre/Meltdown checker on hosts
  hosts: all
  gather_facts: false
  tasks:
    - script: tools/spectre-meltdown-checker.sh --batch json --live
      register: spectre_output
      failed_when: false

    - set_fact: 
        spectre_json: "{{ spectre_output.stdout|from_json }}"

    - name: Output vulnerability status
      debug: 
        msg: "Vulnerable to {{ item.NAME }} - {{ item.INFOS }}"
      with_items: "{{ spectre_json }}"
      failed_when: item.VULNERABLE
      when: item.VULNERABLE

- name: Run Spectre/Meltdown checker on hosts

hosts: all

gather_facts: false

tasks:

- script: tools/spectre-meltdown-checker.sh --batch json --live

failed_when: false

- set_fact:

spectre_json: "{{ spectre_output.stdout|from_json }}"

- name: Output vulnerability status

debug:

msg: "Vulnerable to {{ item.NAME }} - {{ item.INFOS }}"

with_items: "{{ spectre_json }}"

failed_when: item.VULNERABLE

when: item.VULNERABLE

Important is to adjust the path to spectre-meltdown-checker.sh in the script: task (the path is relative to wherever your playboook file is). Adapt to your needs however you want. It is basically just feeding the output of the script into the from_json filter, storing it in a variable and then iterating over the result via with_items.

Example output:

(vulnerable to CVE-2017-5715 since Intel retracted their microcode updates and haven’t released new ones yet)