10 KiB
10 KiB
description, argument-hint
| description | argument-hint |
|---|---|
| Security review of Ansible code | Optional code to review |
Ansible Security Review
You are conducting a security review of Ansible code for vulnerabilities, credential handling, privilege escalation, and compliance using the ansible-security-reviewer agent.
Workflow
1. Identify Security Review Scope
Determine what requires security review:
- New code: Before initial deployment
- Existing code: Regular security audits
- Production code: Before production deployment
- High-risk operations: Privileged access, credential handling
- Compliance check: PCI-DSS, HIPAA, GDPR, SOC2
2. Gather Code and Requirements
If not specified, ask for:
- Code to review:
- File paths or directories
- Or paste code directly
- Environment criticality:
- Production (strict standards)
- Staging (moderate standards)
- Development (baseline standards)
- Compliance requirements:
- PCI-DSS (payment card data)
- HIPAA (healthcare)
- GDPR (EU data privacy)
- SOC 2 (security controls)
- CIS Benchmarks
- Specific security concerns:
- Credential management
- Privilege escalation
- File permissions
- Network security
- Supply chain security
- Risk tolerance:
- Zero tolerance (financial, healthcare)
- Moderate (enterprise)
- Standard (general business)
3. Pre-Security Scan
Run automated security scans first:
# Check for hardcoded secrets
trufflehog filesystem . --only-verified
# Git secrets scan
git secrets --scan
# ansible-lint security profile
ansible-lint --profile security roles/
# Check vault files are encrypted
find . -name "vault*.yml" -exec ansible-vault view {} \;
4. Launch Security Reviewer
Launch ansible-security-reviewer with:
"Perform security review of Ansible code at [location].
Environment: [production/staging/development]
Compliance: [requirements if any]
Risk tolerance: [zero/moderate/standard]
Focus on:
- Hardcoded credentials and secrets
- Ansible Vault usage
- Privilege escalation (become/sudo)
- File and directory permissions
- Command injection risks
- Template injection risks
- Network security (HTTPS, certs)
- Logging secrets (no_log)
- Supply chain security
- Audit and compliance"
5. Analyze Security Findings
Agent categorizes by severity:
Critical (Block all deployment):
- Hardcoded passwords, API keys, tokens
- Credentials in unencrypted files
- Credentials committed to Git
- Missing Ansible Vault
- World-readable sensitive files
- Command injection vulnerabilities
- Privileged containers without justification
High (Fix before production):
- Secrets in logs (missing
no_log) - Excessive privilege escalation
- Weak file permissions on sensitive files
- Disabled certificate validation
- No backup before destructive operations
- Missing input validation
- Unencrypted network protocols
Medium (Address within sprint):
- Generic variable names (potential conflicts)
- No audit logging
- Supply chain: unpinned versions
- Missing security headers
- Verbose logging in production
- No secrets rotation plan
Low (Best practice improvements):
- Could use stricter permissions
- Documentation of security decisions
- Security testing gaps
- Monitoring improvements
6. Remediation Planning
Create security fix plan:
Immediate (0-24 hours):
- Remove all hardcoded credentials
- Encrypt with Ansible Vault
- Fix critical file permissions
- Add
no_logto sensitive tasks
Short-term (1-7 days):
- Implement external secret management
- Reduce privilege escalation
- Fix injection vulnerabilities
- Enable certificate validation
- Add audit logging
Long-term (1-3 months):
- Migrate to HashiCorp Vault / AWS Secrets Manager
- Implement secret rotation
- Security scanning in CI/CD
- Regular security audits
Security Review Categories
Credential Management
Agent scans for:
- Hardcoded passwords
- API keys in plain text
- SSH keys in code
- Database credentials
- Certificates and private keys
- Unencrypted vault files
Critical Issues:
# CRITICAL - Hardcoded password
- name: Create database user
postgresql_user:
name: appuser
password: "SuperSecret123!" # EXPOSED!
# FIX - Use Vault
- name: Create database user
postgresql_user:
name: appuser
password: "{{ vault_db_password }}"
no_log: true
Privilege Escalation
Agent checks:
- Unnecessary root/sudo usage
- Overly broad sudo permissions
- become_user validation
- Principle of least privilege
Issues:
# BAD - Unnecessary root
- name: Create user file
become: yes
become_user: root
ansible.builtin.copy:
src: user_config
dest: /home/appuser/.config
# GOOD - Run as user
- name: Create user file
become: yes
become_user: appuser
ansible.builtin.copy:
src: user_config
dest: /home/appuser/.config
File Permissions
Agent verifies:
- Sensitive files not world-readable
- Directories properly restricted
- SSH config and keys secured
- Vault files protected
Critical Issues:
# CRITICAL - World readable
- name: Create SSH private key
ansible.builtin.copy:
src: id_rsa
dest: /home/user/.ssh/id_rsa
# Missing mode! Defaults to 0644
# FIX - Proper permissions
- name: Create SSH private key
ansible.builtin.copy:
src: id_rsa
dest: /home/user/.ssh/id_rsa
owner: user
group: user
mode: '0400' # Read-only by owner
Command Injection
Agent identifies:
- Unsanitized variables in shell
- SQL injection in database commands
- Unquoted variables in commands
Critical Issues:
# CRITICAL - Command injection
- name: Process user input
ansible.builtin.shell: echo "{{ user_input }}" > /tmp/file
# user_input could be: "; rm -rf / #"
# FIX - Use copy module
- name: Write user input safely
ansible.builtin.copy:
content: "{{ user_input }}"
dest: /tmp/file
Secrets in Logs
Agent checks for:
- Missing
no_logon sensitive tasks - Debug statements with secrets
- Verbose logging of credentials
Issues:
# BAD - Password in logs
- name: Set database password
ansible.builtin.lineinfile:
path: /etc/app/config.ini
line: "password={{ db_password }}"
# Password appears in logs!
# GOOD - no_log enabled
- name: Set database password
ansible.builtin.lineinfile:
path: /etc/app/config.ini
line: "password={{ db_password }}"
no_log: true
Network Security
Agent reviews:
- HTTP vs HTTPS
- Certificate validation
- Secure protocols
- Exposed services
Issues:
# BAD - Disabled cert validation
- name: Download file
ansible.builtin.get_url:
url: https://example.com/file
dest: /tmp/file
validate_certs: no # SECURITY RISK!
# GOOD - Cert validation enabled
- name: Download file
ansible.builtin.get_url:
url: https://example.com/file
dest: /tmp/file
validate_certs: yes
Output Format
Security Review Report
Executive Summary:
- Overall Security Posture: [Critical Risk/High Risk/Medium Risk/Low Risk]
- Critical Findings: [count] - MUST FIX IMMEDIATELY
- High Findings: [count] - Fix before production
- Medium Findings: [count] - Address within sprint
- Low Findings: [count] - Best practice improvements
- Compliance Status: [Pass/Fail per requirement]
Critical Security Findings:
[CRITICAL] Credential Management: Hardcoded Password
Location: roles/database/tasks/main.yml:25
Vulnerability: Database password in plain text
Evidence:
password: "SuperSecret123!"
Risk:
- Credentials exposed in version control
- No ability to rotate passwords
- Violates PCI-DSS 8.2.1, GDPR Article 32
Recommendation:
1. Remove hardcoded password
2. Encrypt with: ansible-vault encrypt_string 'password' --name 'vault_db_password'
3. Use: password: "{{ vault_db_password }}"
4. Add: no_log: true
Security Checklist:
- No hardcoded credentials
- Ansible Vault for all secrets
no_logon sensitive tasks- Minimal privilege escalation
- Secure file permissions (0600/0400 for secrets)
- No command injection vectors
- HTTPS with certificate validation
- Audit logging enabled
- Supply chain: pinned versions
- Backup before destructive operations
Remediation Priority:
Immediate (0-24 hours):
- Remove hardcoded password at roles/database/tasks/main.yml:25
- Fix world-readable SSH key at roles/deploy/files/id_rsa
- Add no_log to vault password task at roles/vault/tasks/main.yml:10
Short-term (1-7 days):
- Implement Ansible Vault for all secrets
- Reduce unnecessary sudo/root usage
- Enable certificate validation
- Add audit logging
Long-term (1-3 months):
- Migrate to HashiCorp Vault
- Implement secrets rotation
- Security CI/CD integration
- Regular penetration testing
Validation Commands
After fixing security issues:
# Scan for secrets
trufflehog filesystem . --only-verified
# Verify vault encryption
find . -name "vault*.yml" -exec file {} \;
# Should show "data" not "ASCII text"
# Security lint
ansible-lint --profile security roles/
# Verify no secrets in git history
git log -p | grep -i "password\|secret\|key"
# Test with production-like settings
ansible-playbook playbook.yml --check -i inventory/production
Compliance Frameworks
PCI-DSS Requirements
- No cardholder data in logs (Req 3.4)
- Strong access controls (Req 7)
- Encrypted transmission (Req 4)
- Audit trails (Req 10)
HIPAA Requirements
- PHI encryption at rest and transit
- Access controls and audit logging
- Regular security assessments
- Breach notification procedures
GDPR Requirements
- Data encryption (Article 32)
- Access controls (Article 32)
- Audit logging (Article 30)
- Data minimization (Article 5)
SOC 2 Requirements
- Access controls (CC6.1)
- Encryption (CC6.7)
- Change management (CC8.1)
- Monitoring and logging (CC7.2)
Best Practices
Pre-Review:
- Run automated secret scans
- Check all vault files encrypted
- Review git history for leaked secrets
- Document security requirements
During Review:
- Specify compliance requirements
- Note environment criticality
- Identify high-risk operations
- Provide complete context
Post-Review:
- Fix Critical issues immediately
- Never deploy with Critical findings
- Document security decisions
- Re-review after changes
Continuous Security:
- Integrate security scanning in CI/CD
- Regular security audits (quarterly)
- Rotate secrets regularly
- Monitor security advisories
- Keep Ansible and collections updated
- Train team on secure coding practices