Eliminate default or weak configurations. Ansible is not enough smart to identify the correct configuration for services, in this case, it is important the experience of the administrator to identify the correct changes to keep it secure. Ansible helps no only to centralize the configuration, even help to implement these configurations around the infrastructure without leaving any system out.
Generate secure baselines. Once you have a playlist ready to probation a server or a service, it can be used to keep the same base configuration to the rest of the infrastructure. In the case of need to modify a configuration, it can be done using the playlist and leave it ready for the next provision. Another advantage is that the playlist auto document the configuration.
Maintain an updated assets inventory. The inventories are the cornerstone of Ansible. It is not only a list of hosts under the control of Ansible but the administrator can also generate groups to identify hosts easily. Another advantage is that these inventories can be generated automatically.
But Ansible is not only hunky-dory. There are som important characteristics that if are not well managed could be a security risk.
User access to manage services. Ansible allows access to the host using even privileged used account. Probably this is the easer practice, but not the best. It is important to manage the ssh service to avoid Ansible log in as root user. and use unprivileged accounts to access and escalate privileges using become.
Protect the account where you are running ansible. Like any other digital tool, like your email client, the person seat in front of the computer could have access to Ansible, and perform any action. It's important to keep secure the computer where you use Asinbile. Block the screen when you don't attend it. Use a strong password o passphrase and keep it updated.
If you are using Ansible and identify any other advantage or how you can improve its security, share with us your thoughts and leave a comment to help me and others to learn more about this important tool.
No comments:
Post a Comment