Ansible as a security tool

I'm on the path to learning ansible, but in this short time I found some interesting characteristics about these tools that could help in the process to implement an security framework like ISO-27002 or PCI-DSS.

Eliminate default or weak configurations. Ansible is not enough smart to identify the correct configuration for services, in this case, it is important the experience of the administrator to identify the correct changes to keep it secure. Ansible helps no only to centralize the configuration, even help to implement these configurations around the infrastructure without leaving any system out.

Generate secure baselines. Once you have a playlist ready to probation a server or a service, it can be used to keep the same base configuration to the rest of the infrastructure. In the case of need to modify a configuration, it can be done using the playlist and leave it ready for the next provision. Another advantage is that the playlist auto document the configuration. 

Maintain an updated assets inventory. The inventories are the cornerstone of Ansible. It is not only a list of hosts under the control of Ansible but the administrator can also generate groups to identify hosts easily. Another advantage is that these inventories can be generated automatically. 

But Ansible is not only hunky-dory. There are som important characteristics that if are not well managed could be a security risk.

User access to manage services. Ansible allows access to the host using even privileged used account. Probably this is the easer practice, but not the best. It is important to manage the ssh service to avoid Ansible log in as root user. and use unprivileged accounts to access and escalate privileges using become.

Protect the account where you are running ansible.  Like any other digital tool, like your email client, the person seat in front of the computer could have access to Ansible, and perform any action. It's important to keep secure the computer where you use Asinbile. Block the screen when you don't attend it. Use a strong password o passphrase and keep it updated.

If you are using Ansible and identify any other advantage or how you can improve its security, share with us your thoughts and leave a comment to help me and others to learn more about this important tool.

Ansible In Raspberry Cluster 2nd part

The next step is build the cluster and connect, install the operations system in each SD card, conect the Raspberries to the network and energy.

The Raspberry Pi's website offers different operating systems to install in owr devices, I'm using Rasbian, a version of Debian to Rasberry Pi. the process to install it is quite easy.

First you need to download the image of operating system from the raspberry pi website, and decompress the file to get an file with extension .img

After that, you need connect the SD card to your computer using a port or an adapter. 

Many Linux distributions has pre installed an application to manage the content of the store devices called "Disks".

In this application, you have to select the SD card and, from the menu, select the option restore image. 

This option open a new window where you have to search the file with extension .img and select ti.

Once you selected the .img file, click in start an the image starts to restore the information in to the SD card.

When this process over, you have to disconnect the SD card and reconnect to the computer, this will mount the SD card in your system. In the boot partition of the SD card, you hace to create a file with the name ssh. After this, unmount all the partitions in the SD card and disconnect it form you computer.

Insert the SD card in you Raspberry Pi and turn it up.

You need to search in you ISP's router onr in the logs of your DHCP service what IP address was assigned to the Rasberry.

From a terminal, connect via ssh using the user "pi" and the IP obtained on the previous step.

To log in in to the Raspberry use the password "raspberry"

Now you are in to the Rasberry. The following steps will configure a base system. When you finish these following steps, you could generate your own image, and use it to generate the rest of the SD cards of the rest of Raspberries

Fist, using the  system tool raspi-config , change the pi password and the time zone.

Second, in the system where you will manage your cluster, create a ssh certificate using ssh-keygen and copy yo the Raspberry with ssh-copy-id (https://www.raspberrypi.org/documentation/remote-access/ssh/passwordless.md)

After this, reboot you Rasberry and try to access to it using ssh. in this time, you d¿will not need a password.

If every thing is correct, the next step is turn off the Rasberry, extract the SD card and connect this one to your computer again. Using the same application "Disks", create your own .img file.

Uis this last .img file to create the rest of SD cards for the rest of your Raspberries.

Finally use the package manager in your system to instal ansible. In the case of Ubuntu/Debian use apt install ansible.

Now is time to go dirty with Ansible.

  

Ansible In Raspberry Cluster 1st part

The intention to write this blog is document the process to create a cluster using 2 Raspberry Pi 3B  and learn the use of different DevOps tools. The first of this tools is Ansible, an orchestrator tool to manage more than one system in an easy way.

Of course, i'm writing a blog and don't write this process in a notebook, because I want to share this process with the people who have an interest on technology and this topics.

So, lets star from the beginning:

For this project I'll use:

• 2 Raspberry Pi model 3B.
• 2 16 GB SD cards. 
• 3 USB Micro B cables.
• 1 multi USB charger multi port.
• 1 communication Switch.
• 3 UTP Cat 5 cables.
• 1 laptop.

The Raspberry Pies

For those who don't know this project, a Raspberry Pi is a small computer as the same size as than a credit card. To work, this computer needs an USB power supply.  like an cellphone charger, or  preferably an official Raspberry Pi power supply.

I'm going to use 2 raspberry Pi (I hoppe increase the number of raspberries in the future). The model of Raspberries that I'm going to use is 3B. Now a days for May 2020 is not the most recent model, but are the computers that I have. 

Raspberries use SD cards as "hard drive", in this case I'm going to use 16 GB SD Cards, because are the cards that I have within reach.

If yo want to know more about Raspberry Pi project, I leave you the link to their web site.

The communication infrastructure

My communication infrastructure consists in a cheap switch and enough UTP cables co interconnect the raspberries, the laptop and share the Internet access.

The laptop and the virtual environment

By last, I'm going to use my laptop as a command centre and to host an virtual laboratory where I can test the configurations before past them to the cluster. In this laptop I'm going to store the base image for the raspberries pies "Hard drve" to avoid configure each computer by hand 

For the next entrance, I'll write about the process to install Raspbian as the operating system for the raspberries, how to generate an image in the laptop to avoid generate this memory for each raspberries and leave reddy the cluster to work with it.

If yo have a question about this, leave a message.