Advanced Security Practices in Ansible
Introduction
Security is a paramount concern in any IT environment. Ansible, an open-source automation tool, provides several advanced security practices to ensure your infrastructure remains secure. This tutorial will guide you through these practices, explaining each concept with detailed examples.
1. Using Vault for Secret Management
Ansible Vault allows you to securely store and manage sensitive data such as passwords, API keys, and other secrets.
Creating a Vault
To create a new vault file, use the following command:
ansible-vault create secret.yml
You will be prompted to enter a password. This password will be used to encrypt and decrypt the vault file.
Editing a Vault
To edit an existing vault file, use:
ansible-vault edit secret.yml
Using Vault in Playbooks
To use the encrypted variables in your playbooks, reference the vault file:
---
- hosts: localhost
vars_files:
- secret.yml
tasks:
- debug:
msg: "The secret is {{ secret_variable }}"
2. Role-Based Access Control (RBAC)
Implementing RBAC ensures that users have the minimal level of access required to perform their tasks, enhancing security.
Defining Roles
Define roles in your infrastructure by creating role-specific playbooks and inventories. For example:
---
- name: Web Server Setup
hosts: web_servers
roles:
- { role: common }
- { role: webserver }
Assigning Permissions
Use Ansible Tower or AWX to assign roles and permissions to users, ensuring that each user can access only what they need.
3. Ensuring Idempotency
Idempotency ensures that a task can be applied multiple times without changing the result beyond the initial application.
Writing Idempotent Tasks
Ensure your tasks are idempotent by checking the state before making changes. For example:
---
- name: Ensure NGINX is installed
apt:
name: nginx
state: present
4. Using SSH Keys
SSH keys provide a secure way of logging into your servers and can be used instead of passwords.
Generating SSH Keys
Generate a new SSH key pair using:
ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa
Configuring Ansible to Use SSH Keys
Ensure your inventory file references the private key:
[web_servers]
web1 ansible_host=192.168.1.10 ansible_user=ubuntu ansible_ssh_private_key_file=~/.ssh/id_rsa
5. Enforcing Strong Password Policies
Strong password policies are crucial for securing your infrastructure.
Using Ansible to Enforce Password Policies
Create a playbook to enforce strong password policies:
---
- name: Enforce Password Policies
hosts: all
tasks:
- name: Set password complexity requirements
lineinfile:
dest: /etc/security/pwquality.conf
regexp: '^# minlen'
line: 'minlen = 12'
6. Logging and Auditing
Logging and auditing help you track changes and detect any suspicious activities in your infrastructure.
Configuring Logging in Ansible
Enable logging by setting the log_path in your ansible.cfg file:
[defaults]
log_path = /var/log/ansible.log
Auditing Changes
Regularly audit the logs to detect any unauthorized changes:
tail -f /var/log/ansible.log
7. Network Security
Securing your network is essential for protecting your infrastructure from external threats.
Using Firewalls
Configure firewalls to restrict access to your servers:
---
- name: Ensure UFW is installed
apt:
name: ufw
state: present
- name: Allow SSH
ufw:
rule: allow
name: OpenSSH
- name: Enable UFW
ufw:
state: enabled
Conclusion
By following these advanced security practices, you can significantly improve the security of your Ansible-managed infrastructure. Regularly review and update your security measures to adapt to new threats and vulnerabilities.