Red Hat SummitImprove the security of nodes managed by Ansible Automation Platform
Ansible Automation Platform is an agentless technology that relies on making a remote connection to the devices it manages, called managed nodes, to run automation tasks.
Any recommendations on managed node configuration presented here must be thoroughly tested and reviewed before implementation to ensure that they meet organizational policies and requirements.
Red Hat Enterprise Linux managed node configuration
The following section provides guidance for Red Hat Enterprise Linux (RHEL) managed nodes, but the concepts may be applicable to other Linux distributions as well.
Examples are provided for manual configuration of RHEL managed nodes. These steps can also be automated with Ansible Automation Platform, or they can be added to a Standard Operating Environment (SOE) or "golden image" created with a tool such as the Red Hat Lightspeed image builder.
Create a dedicated service account with access limits
Ansible Automation Platform can be configured to use various users or accounts for connecting to managed nodes.
Create a single, dedicated service account for this purpose. This service account must be a local account on each managed node to ensure automation jobs continue to run, even if an external authentication mechanism experiences an outage. This recommendation applies unless organizational policy mandates centrally managed service accounts. The service account must be clearly named to indicate its purpose, for instance, ansible or aapsvc.
"Ansible" is used here as the assumed name for a local service account in the examples.
The local service account is configured as follows:
- It is granted sufficient privileges to run any automation job required.
- It is limited to SSH key authentication only. No password authentication is allowed.
- Access is only granted to connections made from the Ansible Automation Platform {ControllerNames}s and execution nodes.
Note To execute tasks in an Ansible playbook or job template as a user other than the service account, use the
becomeandbecome_userkeywords. Connecting to the managed node as a different user is not necessary. - The
useraddcommand can be used to create a local service account. For example:
sudo useradd ansible \
--system --create-home \
--comment "Ansible Automation Platform service account"Configure sudo privileges for service account
The service account requires sufficient privileges to run any current or future automation job on the managed node. This section describes the use of sudo, though other privilege escalation methods are available.
About this task
Since Ansible Automation Platform defaults to using the ansible.builtin.sudobecome plugin on Linux-based managed nodes, the service account must be permitted to run any command on the RHEL managed node using the sudo command.
To configure this, use the following procedure:
Procedure
Require SSH key authentication for service account
The service account must not be permitted to use password authentication with SSH connections to the managed node.
About this task
Given that password authentication is prohibited, at least one SSH public key must be appended to the service account’s authorized_keys file (typically located at /home/ansible/.ssh/authorized_keys).
These public keys must correspond with the private keys used to establish Machine credentials in Ansible Automation Platform, as these credentials facilitate connections to the RHEL managed nodes.
This section advocates for a single service account for connections to managed RHEL nodes, but this does not mean using a single SSH key across all nodes is required. In larger organizations, individual teams managing RHEL servers can generate their own machine credentials within Ansible Automation Platform. Teams can then add the corresponding keys to the authorized keys file on their specific RHEL servers. This approach ensures consistent access to managed nodes organization-wide by using a common service account, while enabling each team to independently manage the credentials for their assigned nodes.
Use the following procedure to configure the SSH daemon:
Procedure
Enable and configure pam_access controls for service accounts
To restrict remote login access to connections originating from the Ansible Automation Platform automation controller and execution nodes and ensure the service account is exclusively used by Ansible Automation Platform, use the following procedure:
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}