Security Best Practices
Overview
Comprehensive guide to securing your Ansible automation infrastructure.
Authentication & Authorization
Ansible Vault
# Example of vault encryption
- name: Deploy secure configuration
template:
src: secure_template.j2
dest: /etc/app/config
vars_files:
- vault/secrets.yml
SSH Hardening
# Secure SSH configuration
- name: Configure SSH
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
vars:
ssh_password_authentication: no
ssh_permit_root_login: no
ssh_pubkey_authentication: yes
Secure Communication
TLS/SSL Configuration
- name: Deploy certificates
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: '0600'
loop:
- { src: 'certs/server.key', dest: '/etc/ssl/private/' }
- { src: 'certs/server.crt', dest: '/etc/ssl/certs/' }
Network Security
- Firewall configuration
- Network segmentation
- Secure communication channels
Access Control
Privilege Escalation
- name: Secure operation
become: yes
become_method: sudo
become_user: app_user
block:
- name: Protected task
file:
path: /secure/location
state: directory
mode: '0700'
Role-Based Access
- Implement least privilege
- Regular access reviews
- Audit logging
Compliance & Auditing
Audit Trails
- name: Enable audit logging
lineinfile:
path: /etc/audit/auditd.conf
regexp: '^log_file'
line: 'log_file = /var/log/audit/audit.log'
Compliance Checks
- name: Check file permissions
stat:
path: "{{ item }}"
loop: "{{ secure_files }}"
register: file_stats
failed_when: file_stats.stat.mode != '0600'
Security Testing
Automated Security Scans
- name: Run security scan
command: security_scanner --profile high
register: scan_results
failed_when: scan_results.rc != 0
Incident Response
Security Monitoring
- Log aggregation
- Alerts configuration
- Response automation
Recovery Procedures
- Backup verification
- Restore testing
- Incident playbooks
Security Checklist
- [ ] Vault encryption
- [ ] SSH hardening
- [ ] TLS/SSL implementation
- [ ] Access control review
- [ ] Audit logging
- [ ] Regular security scans
- [ ] Incident response plan