Skip to main content

Increasing Ansible Security

Hands-On Lab

 

Length

00:30:00

Difficulty

Intermediate

Being able to use Ansible to secure your nodes is an in-demand skill, and understanding how to use playbooks for security is excellent knowledge to have. This value is shown by the fact that it is one of the objectives of the Red Hat Certified Ansible Specialist exam. In this hands-on lab, we will make use of the various modules to help secure your nodes in a reproducible manner. This hands-on lab is not meant to be an exhaustive example of security; instead it showcases ways to enhance your nodes security. Note: Ansible has been set up and configured for use on the Control server and two nodes. This will save you time when doing the hands-on lab.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Increasing Ansible Security

Introduction

In this hands-on lab, we will use a playbook and assorted modules to increase the security of your Ansible nodes.

Note: Ansible has been set up and configured for your use.

Solution

To access the lab environment, log in to the control node as cloud_user, using the IP address and login information provided in the Credentials section of the hands-on lab page.

Sign onto the Ansible Control Node Server as cloud_user and Change to the ansible User

  1. Sign in to the server called Ansible Control Node using the cloud_user and change to the ansible user via the su - ansible command.

  2. We can use the following command to test whether Ansible is working:

    ansible all -m ping

    Use an Ad-Hoc Ansible Command to Check the Uptime on all the Nodes

  3. Use an ad-hoc Ansible command to show the uptime on all of the servers:

    ansible all -a /user/bin/uptime

    Create a Playbook Called selinux.ymland Ensure that SELinux Is Enabled on All Nodes

  4. Use the selinux module and create a playbook called selinux.yml:

    vim selinux-check.yml
  5. Check the playbook, ensuring that all the nodes have SELinux installed and that it's set to enabled on all nodes:

    hosts: all
    user: ansible
    become: yes
    gather_facts: no
    tasks:
    
    - name: Enable SELinux
    selinux:
      policy: targeted
      state: enforcing
  6. Save and exit.

  7. We can then clear the screen.

    Note: More information about the SELinux module can be found here: https://docs.ansible.com/ansible/latest/modules/selinux_module.html

Test the Playbook selinux.yml to Ensure It Works

  1. Test the playbook selinux.yml against all the nodes and ensure that there are no errors:

    ansible-playbook selinux-check.yml

Create a Playbook Called firewalld.yml and Verify the Installation of firewalld

  1. Create the firewalld.yml playbook that will install, enable, and start firewalld:

    hosts: all
    user: ansible
    become: yes
    gather_facts: no
    tasks:
    - name: install firewalld
    action: yum name-firewalld state=installed
    - name: Enable firewalld on system reboot
    service: name=firewalld enabled=yes
    - name: Start service firewalld, if not started
    service:
      name: firewalld
      state: started
  2. Save and exit.
  3. Run the playbook:

    vim firewalld.yml
    ansible-playbook firewalld.yml

    Note: More information about the firewalld module can be found here: https://docs.ansible.com/ansible/latest/modules/firewalld_module.html?highlight=firewalld

Test the firewalld.yml Playbook and Verify Task Completion

  1. Test the playbook and ensure that firewalld is installed, enabled and started on each of the nodes:

    sudo systemctl status firewalld

Conclusion

Congratulations ⁠— you've completed this hands-on lab!