wanman0621,
For Linux patching in general you can look at:
This has a method to install a specific patch or all patches. However if you do not want to use my method above, you could use the following script and put it in a custom definition.
Detection Logic -> Custom Script:
#!/bin/bash
#set -x
reason="Yum Check-Update Ran-Vulnerable to Shell Shock - Bash Patch"
RV=0
hostname=`hostname`
# To Test - uncomment below and enter one test device's name here - to patch all systems, re-comment out the below line.
#if [[ $hostname == *enterhostnamehere* ]]; then
# Check if vulnerable - if it is, update bash. If not vulnerable echo Not Vulnerable and set the status as "patched".
envx='() { :;}; yum -y update bash > /opt/landesk/vulscan-bash-patchlog.ini; RV=1'bash-c"echo Not Vulnerable; RV=0"
#To Test - uncomment below fi line, to patch all systems - re-comment out the below line.
#fi
if [ $RV -eq 1 ]; then
echo "${reason}" >&1
echo "Yum Check-Bash Update Ran" >&2
fi
exit $RV
*Please test this before doing it in production - I literally just wrote it and do not know if I missed type anything or if there is a flaw.
You would then apply this patch definition to the device you desire to patch for testing via the bolded and underlined above. After testing is completed - re-comment those lines and all of your systems should get the patch if they are vulnerable.
*Note: to scope which devices get this patch - I would advise applying a query filter to the custom definition detection rules.
*Note: this will patch bash to the latest version. The current shell shock patch does not require a reboot - but if your systems are out of date, a previous bash patch may require one.
Please also see: Linux - Patching Bash - Latest CVE-2014-6278
Hope this helps,
Peter