Ansible is an open-source automation tool, or platform, used for IT tasks such as configuration management, application deployment, intraservice orchestration and provisioning. Automation is crucial these days, with IT environments that are too complex and often need to scale too quickly for system administrators and developers to keep up if they had to do everything manually. Automation simplifies complex tasks, not just making developers’ jobs more manageable but allowing them to focus attention on other tasks that add value to an organization. In other words, it frees up time and increases efficiency. And Ansible, as noted above, is rapidly rising to the top in the world of automation tools. Let’s look at some of the reasons for Ansible’s popularity.
Advantages of Ansible
- Free. Ansible is an open-source tool.
- Very simple to set up and use. No special coding skills are necessary to use Ansible’s playbooks (more on playbooks later).
- Powerful. Ansible lets you model even highly complex IT workflows.
- Flexible. You can orchestrate the entire application environment no matter where it’s deployed. You can also customize it based on your needs.
- Agentless. You don’t need to install any other software or firewall ports on the client systems you want to automate. You also don’t have to set up a separate management structure.
- Efficient. Because you don’t need to install any extra software, there’s more room for application resources on your server.
Security Improvement
For a mission to one of my clients, Ansible was used to make security auditing tools, for that some security improvement was done by using the engine specific features: privilege escalation to avoid a ssh connection using super-user, a “vault” to store sensible information’s like credentials…
Privilege Escalation
Some Network Element (NE) Specific script needs to have access to some commands with high privilege.
Ansible allows you to ‘become’ another user, different from the user that logged into the machine (remote user). This is done using existing privilege escalation tools such as sudo, su, pfexec, doas, pbrun, dzdo, ksu, runas, machinectl and others.
The above situation comes with the security policy of the company. Allowing people to ssh to remote as super-user will expose the password of the super-user, which could be a potential security risk.
Usage of vault
At the first step of development, the audit tool engine uses a config file (host.ini) to store all NE address and specifics variables credentials associated.
In the second step of development, for security improvement, the specifics variables credentials can be crypted and stored inside a Vault.
Vault is a feature of ansible that allows keeping sensitive data such as passwords or keys in encrypted files rather than as plaintext in playbooks or roles. AES-256 algorithm is used to encrypt, the variables are decrypted on runtime.
Usage of Ansible-Vault to store sensible variables.
Below, the result example of ansible-vault encrypt command.
the_secret_variable: !vault |
$ANSIBLE_VAULT;1.1;AES256
62313365396662343061393464336163383764373764613633653634306231386433626436623361
6134333665353966363534333632666535333761666131620a663537646436643839616531643561
63396265333966386166373632626539326166353965363262633030333630313338646335303630
3438626666666137650a353638643435666633633964366338633066623234616432373231333331
6564
The management of the vault (create/edit/encrypt variables) should be done by a security officer.