Free<\/strong>. Ansible is an open-source tool.<\/li>

Very simple to set up and use<\/strong>. No special coding skills are necessary to use Ansible\u2019s playbooks (more on playbooks later).<\/li>

Powerful<\/strong>. Ansible lets you model even highly complex IT workflows.\u00a0<\/li>

Flexible<\/strong>. You can orchestrate the entire application environment no matter where it\u2019s deployed. You can also customize it based on your needs.<\/li>

Agentless<\/strong>. You don\u2019t need to install any other software or firewall ports on the client systems you want to automate. You also don\u2019t have to set up a separate management structure.<\/li>

Efficient<\/strong>. Because you don\u2019t need to install any extra software, there\u2019s more room for application resources on your server.<\/li><\/ul>\n\n\n\n
Security Improvement<\/h2>\n\n\n\n
$\"\"$ <\/figure><\/div>\n\n\n\n
For a mission to one of my clients, Ansible was used to make security auditing tools, for that some security improvement was done by using the engine specific features: privilege escalation to avoid a ssh connection using super-user, a \u201cvault\u201d to store sensible information\u2019s like credentials\u2026 <\/p>\n\n\n\n
Privilege Escalation<\/h4>\n\n\n\n
Some Network Element (NE) Specific script needs to have access to some commands with high privilege.<\/p>\n\n\n\n
Ansible\nallows you to \u2018become\u2019 another user, different from the user that logged into\nthe machine (remote user). This is done using existing privilege escalation\ntools such as\u00a0sudo,\u00a0su,\u00a0pfexec,\u00a0doas,\u00a0pbrun,\u00a0dzdo,\u00a0ksu,\u00a0runas,\u00a0machinectl\u00a0and others.<\/p>\n\n\n\n
$\"\"$ <\/figure><\/div>\n\n\n\n
The above situation comes with the security policy of the company. Allowing people to ssh to remote as super-user will expose the password of the super-user, which could be a potential security risk.
<\/p>\n\n\n\n
Usage of vault<\/h4>\n\n\n\n
At the first step of\ndevelopment, the audit tool engine uses a config file (host.ini) to store all\nNE address and specifics variables credentials associated. <\/p>\n\n\n\n
In the second step of\ndevelopment, for security improvement, the specifics variables credentials can\nbe crypted and stored inside a Vault.\u00a0 <\/p>\n\n\n\n
Vault is a feature of\nansible that allows keeping sensitive data such as passwords or keys in\nencrypted files rather than as plaintext in playbooks or roles. AES-256\nalgorithm is used to encrypt, the variables are decrypted on runtime.<\/p>\n\n\n\n
$\"\"$ <\/figure>\n\n\n\n
Usage of Ansible-Vault to store sensible variables.<\/p>\n\n\n\n
Below,\nthe\u00a0result example of ansible-vault encrypt\u00a0command.<\/p>\n\n\n\n
the_secret_variable: !vault |\n $ANSIBLE_VAULT;1.1;AES256\n 62313365396662343061393464336163383764373764613633653634306231386433626436623361\n 6134333665353966363534333632666535333761666131620a663537646436643839616531643561\n 63396265333966386166373632626539326166353965363262633030333630313338646335303630\n 3438626666666137650a353638643435666633633964366338633066623234616432373231333331\n 6564<\/code><\/pre>\n\n\n\nThe management of the\nvault (create\/edit\/encrypt variables) should be done by a security officer.<\/p>\n<\/body>","protected":false},"excerpt":{"rendered":" Ansible is an open-source automation tool, or platform, used for IT tasks such as configuration management, application deployment, intraservice orchestration<\/p>\n","protected":false},"author":1,"featured_media":782,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1],"tags":[86,87,81],"class_list":["post-777","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-ansible","tag-devops","tag-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/imalogic.com\/blog\/wp-content\/uploads\/2019\/10\/images.png?fit=224%2C225&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8J21V-cx","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/imalogic.com\/blog\/wp-json\/wp\/v2\/posts\/777","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/imalogic.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/imalogic.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/imalogic.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/imalogic.com\/blog\/wp-json\/wp\/v2\/comments?post=777"}],"version-history":[{"count":1,"href":"https:\/\/imalogic.com\/blog\/wp-json\/wp\/v2\/posts\/777\/revisions"}],"predecessor-version":[{"id":783,"href":"https:\/\/imalogic.com\/blog\/wp-json\/wp\/v2\/posts\/777\/revisions\/783"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/imalogic.com\/blog\/wp-json\/wp\/v2\/media\/782"}],"wp:attachment":[{"href":"https:\/\/imalogic.com\/blog\/wp-json\/wp\/v2\/media?parent=777"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/imalogic.com\/blog\/wp-json\/wp\/v2\/categories?post=777"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/imalogic.com\/blog\/wp-json\/wp\/v2\/tags?post=777"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}