Forge Home

bolt_log4j

A bolt plan which make use of Google's log4jscanner to allow scanning of Windows and Linux hosts at scale for the log4shell vulnerability.

76 downloads

76 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.0 (latest)
released Aug 4th 2024
This version is compatible with:
  • Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2021.7.x
  • Puppet >= 7.24 < 9.0.0
  • , , , , ,
Plans:
  • vuln

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'benjaminrobertson-bolt_log4j', '0.1.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add benjaminrobertson-bolt_log4j
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install benjaminrobertson-bolt_log4j --version 0.1.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

benjaminrobertson/bolt_log4j — version 0.1.0 Aug 4th 2024

bolt_log4j

A bolt plan which makes use of Google's log4jscanner to allow scanning of Windows and Linux hosts at scale for the log4shell vulnerability.

Table of Contents

  1. Description
  2. Setup - The basics of getting started with bolt_log4j
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.
  5. Development - Guide for contributing to the module

Description

A bolt plan which make use of Google's log4jscanner to allow scanning of Windows and Linux hosts at scale for the log4shell vulnerability.

Setup

What bolt_log4j affects

Bolt_log4j makes the following changes on systems.

  • Installs Puppet agent binaries.
  • Extracts the log4jscanner. By default it uses the following paths.
    • Windows: c:\
    • Linux: /tmp
  • Executes the log4jscanner on the system. By default it scans the following paths
    • Windows: c:\
    • Linux /

Setup Requirements

bolt_log4j requires Puppet Bolt to be installed on the scanning machine only.

Run bolt_log4j from a machine with access to the hosts you wish to scan. Port TCP/22 (SSH - Linux) and TCP/5985, TCP/5986 (WinRM - Windows) need to be open from the scanning machine to the target machines. Root or administrator credentials are also required for the target hosts. For Linux systems, a SSH key pair is recommended.

Beginning with bolt_log4j

  1. Install Puppet Bolt
  2. Create a directory for bolt project. mkdir log4j_scanner
  3. Change into project directory. cd log4j_scanner
  4. Init a new bolt project. bolt project init
  5. Open the bolt-project.yaml. Update it to include the bolt_log4j module as shown.
modules:
  - git: https://github.com/benjamin-robertson/bolt_log4j.git
    ref: 'main'
  1. Install the module and its dependencies by running bolt module install. Hint: If you need to force a refresh of modules you can run. bolt module install --force
  2. Confirm plan is installed by running. bolt plan show. Confirm the bolt_log4j::vuln plan is present.
  3. Configure bolt inventory.yaml file as shown. You will most likely need to customize these options for your own environment, see transport options.
---
config:
  transport: ssh
  ssh:
    user: ec2-user
    host-key-check: false
    native-ssh: true
    private-key: /home/ubuntu/.ssh/id_rsa.pem
    ssh-command: /usr/bin/ssh
groups:
  - name: rhel
    targets:
      - ip-10-64-61-143.ap-southeast-2.compute.internal
      - ip-10-64-229-181.ap-southeast-2.compute.internal
  - name: ubuntu
    targets:
      - 10.64.41.234
      - 10.64.214.252
      - 10.64.117.212
    config:
      ssh:
        user: ubuntu
  - name: windows
    targets:
      - 10.64.149.16
    config:
      transport: winrm
      winrm:
        user: tempadmin
        password: <your_password>
        ssl: false
  1. To confirm connectivity to hosts in a group, you can use the facts plan. bolt plan run facts targets=windows

Usage

To run bolt_log4j::vuln plan, run the following command. Specify target group from your inventory file.

bolt plan run bolt_log4j::vuln targets=<target group> --connect-timeout=45

For Windows hosts, best to set the connection timeout to 45 seconds. I have seen occasions where Windows systems have been slow to respond, resulting in timeouts. Linux systems are okay with standard timeout. Timeout can also be set in inventory.yaml.

Limitations

Timeout should be increased from the 15 second default for Windows systems. See above.

Expected to work on all modern Windows, RHEL and Ubuntu systems.

Development

If you find any issues with this module, please log them in the issues register of the GitHub project. Issues

PR's glady accepted.