Patching OpenSSL's heartbleed with puppet.

Everyone is aware of the heartbleed exploit for OpenSSL, since it's been all over the news/tech sites so I won't ramble on about it. I'm just going to show how I used puppet to patch our vunerable servers. We currently have over 1500 hosts on puppet, of which the majority are cPanel servers and run CentOS. Thankfully less than 40% run CentOS6, which was affected by the exploit.

I used the following manifest to update OpenSSL and restart the affected services to use the new binary. It's not the most pretty, but it worked and that's what matters!

So if the OS release number is 6 (using the fact from the awesome facter) ensure that the openssl package is the latest and notify the httpd exec to kill the process and start it, if it's already running (as a graceful restart won't pick up the new binary). It then restarts exim and cPanel if they are on the server and creates a file so the exec only runs once. I chose to use execs so I wouldn't get any service confictions with other inherited manifests.