10 Ansible Security Best Practices

As a configuration management tool, Ansible is widely used in IT infrastructure to deploy and manage applications. However, like any other tool, Ansible must be used with security in mind.

In this article, we will discuss 10 Ansible security best practices that will help you secure your Ansible infrastructure. By following these best practices, you can help ensure that your Ansible infrastructure is secure and compliant.

1. Use Ansible Vault for sensitive data

Ansible Vault is a feature of Ansible that allows you to encrypt sensitive data, such as passwords, API keys, and SSH keys. This is important because if someone were to gain access to your Ansible playbooks, they would also have access to any sensitive data that is not encrypted.

To use Ansible Vault, simply create a file with the sensitive data and then encrypt it using the ansible-vault command. For example, to encrypt a file called secrets.yml, you would run the following command:

ansible-vault encrypt secrets.yml

You will be prompted to enter a password, which will be used to encrypt the file. Once the file is encrypted, you can view it by running the following command:

ansible-vault view secrets.yml

And you can edit it by running the following command:

ansible-vault edit secrets.yml

It’s important to note that the files that are encrypted with Ansible Vault are not compatible with other versions of Ansible, so make sure to keep track of which version of Ansible was used to encrypt the file.

Also, when you share an encrypted file with someone, they will need the password to decrypt it. So make sure to store the password in a secure location, such as a password manager.

2. Limit access to the control machine

The control machine is the server from which you run Ansible commands and playbooks. Because it contains sensitive information like passwords and SSH keys, it’s important to protect it from unauthorized access.

One way to do this is to limit who can log in to the control machine. For example, you can allow only certain users to log in, or you can use SSH keys for authentication instead of passwords.

You can also use a firewall to restrict access to the control machine. For example, you can allow only certain IP addresses to connect to the machine, or you can use a VPN.

Finally, you should keep the control machine up to date with the latest security patches. This will help to prevent attackers from exploiting any vulnerabilities that may be present.

3. Create a separate user account for running Ansible

When you run Ansible as your regular user account, it has access to all of the same files that you do. This means that if an attacker were to compromise your account, they would also have access to any sensitive files that you have access to, including any files used by Ansible.

Creating a separate user account for running Ansible limits the damage that can be done if your account is compromised. The attacker would only have access to the files that are owned by the Ansible user, which should be limited to only the files needed for Ansible to function.

Additionally, you should consider using a tool like Ansible Vault to encrypt sensitive data used by Ansible. This way, even if an attacker were to gain access to the Ansible user’s files, they would still not be able to read the encrypted data.

4. Run your playbooks as read-only

When you run a playbook, Ansible will connect to each of the hosts in your inventory in order to execute the tasks in the play. By default, Ansible will use SSH to connect to these hosts.

If you’re not using read-only mode, then this means that Ansible will have write access to all of the servers in your inventory. This is a major security risk, as it means that if an attacker were to gain access to your Ansible control server, they would also gain access to all of the servers in your inventory.

By running your playbooks in read-only mode, you can mitigate this risk, as Ansible will only have read access to the servers in your inventory. This means that even if an attacker were to gain access to your Ansible control server, they would not be able to modify any files on the servers in your inventory.

To enable read-only mode, simply add the following line to your ansible.cfg file:

ansible_become_method=sudo

This will cause Ansible to use sudo when connecting to remote hosts, which will give it read-only access to the remote servers.

5. Don’t run playbooks as root

If a playbook is run as root and contains tasks that should not be run as root, then those tasks will be executed with root privileges. This could lead to serious security implications, such as data loss or leakage, privilege escalation, or even complete system compromise.

It’s much better to create a dedicated Ansible user that has only the necessary privileges to run playbooks. This can be done using standard Linux tools like sudo or by creating a new user specifically for Ansible with something like ansible-create-user.

6. Use SSH keys instead of passwords

Passwords can be easily guessed, brute forced, or simply stolen. SSH keys, on the other hand, are much more difficult to crack. They are also more convenient to use, as you don’t need to enter a password every time you want to connect to a remote host.

It’s recommended that you generate a new SSH key pair for each user and each host. This way, if one key is compromised, the others will still be safe.

To generate an SSH key pair, you can use the ssh-keygen command. Be sure to use a strong passphrase to protect your private key.

7. Harden your SSH daemon configuration

The SSH daemon is the server component of SSH that allows remote clients to connect to a system. By default, the SSH daemon is configured to allow password-based authentication. However, this is not considered to be a secure authentication method, as passwords can be easily guessed or brute forced.

A better authentication method is to use public key authentication. With this method, the client generates a public/private key pair and stores the private key on their local system. The public key is then added to the user’s account on the server. When the user attempts to connect to the server, they will need to provide the private key, which will be used to authenticate them.

Public key authentication is much more secure than password-based authentication, as it is virtually impossible to brute force. Therefore, it is recommended that you disable password-based authentication and only allow public key authentication when using Ansible.

8. Disable unnecessary services and ports

If a service or port is not being used, there’s no reason to have it enabled. By disabling these services and ports, you’re reducing your attack surface and making it more difficult for an attacker to find a way into your system.

To disable a service, use the ansible service module. For example, to disable the httpd service, you would use the following task:

– name: Disable the httpd service
service:
name: httpd
state: stopped

To disable a port, use the ansible firewall module. For example, to disable the SSH port (port 22), you would use the following task:

– name: Disable the SSH port
firewalld:
port: 22/tcp
permanent: true
state: disabled

9. Enable firewall rules on managed hosts

If you’re not familiar with firewalls, they basically act as a barrier between your computer and the internet. They block incoming connections that might be harmful to your system.

Enabling firewall rules on your managed hosts will help protect them from malicious attacks. Ansible makes it easy to do this with its built-in firewall module.

To enable firewall rules on your hosts, add the following task to your playbook:

– name: Enable firewall rules
hosts: all
tasks:
– name: Ensure iptables is running
service:
name: iptables
state: started
– name: Allow SSH traffic
iptables:
chain: INPUT
jump: ACCEPT
dport: 22
proto: tcp
– name: Allow HTTP traffic
iptables:
chain: INPUT
jump: ACCEPT
dport: 80
proto: tcp
– name: Allow HTTPS traffic
iptables:
chain: INPUT
jump: ACCEPT
dport: 443
proto: tcp

This task will ensure that the iptables service is running and then add rules to allow SSH, HTTP, and HTTPS traffic. You can of course customize these rules to allow other types of traffic that your hosts need.

Once you’ve added this task to your playbook, run it to enable the firewall rules on your hosts.

10. Keep your inventory file secure

Your inventory file contains a list of all the hosts that Ansible is configured to manage. This means that it also contains sensitive information like IP addresses, usernames, and passwords. If this file were to fall into the wrong hands, an attacker could gain access to your entire infrastructure.

To keep your inventory file secure, you should encrypt it with a tool like ansible-vault. ansible-vault is a command-line tool that allows you to encrypt and decrypt files. You can use it to encrypt your inventory file so that only people with the correct password can view its contents.

Once you’ve encrypted your inventory file, you can store it in a safe place like a password-protected zip file or a private Git repository.