Ansible – Managing /etc/security/access.conf

ansiblelinuxpam

New to Ansible and have several machines which make use of the pam_access module which is configured in /etc/security/access.conf. Multiple lines specifying ALLOW/DENY (+/-) and then either users or groups along with src IP addresses to match.

What's a cleaner way to manage this file in Ansible?

The file /etc/security/access.conf looks something like this:

+ : root     : cron crond :0 ttyS0 tty1 tty2 tty3 tty4 tty5 tty6
+ : root     : 10.137.198.176
+ : inventory: 10.137.198.25
+ : sysadmin : 10.137.198.202
- : ALL : ALL

Most machines will employ this base ACL and then other groups or users may be added as need be. Web devs login over SFTP on two of the web servers so an ACL would be inserted for that group (before the - : ALL : ALL line) like so:

+ : webdev   : 10.137.198.0/24
- : ALL : ALL

Some web servers also run passenger. The developers for these systems push out code as the passenger user, so this user is allowed from the dev LAN, but this is not on all web servers.

+ : passenger: 10.137.197.0/24
- : ALL : ALL

The rules become quite specific for each machine and I don't see an easy way of managing this file. I started with the playbook and group_vars below which sort of works but having multiple definitions for the same machine needs help. Probably an array definition for line: in the playbook is needed and looking into that.

Also, this model would require re-writing the file every time since removing a host from group_vars doesn't remove the entry from access.conf. The only states for lineinfile are absent or present. I need a state called add_line_if_missing_remove_if_absent_from_vars. Is there a better way?

- hosts: all
  vars_files:
    - ../group_vars/test-etc-security-access-conf.yml
  gather_facts: false

  tasks:
    - name: "Set up /etc/security/access.conf for {{ inventory_hostname }}"
      when: inventory_hostname is match (item.name)
      lineinfile:
        dest  : /tmp/access.conf
        regexp: '{{ item.regexp }}'
        line: '{{ item.line }}'
      with_items: "{{ access_rules }}"

group_vars – got to be a better way:

access_rules:
  - name: 10.137.1.66
    regexp: '.*passenger.*'
    line: '+ : passenger : 10.137.10.0/24'

  - name: 10.137.1.66
    regexp: '.*webdev.*'
    line: '+ : webdev : 10.137.198.0/24'

Best Answer

This is what I ended up using. Maybe it will be useful to someone else. The playbook will apply a base ACL to every host and then look for an additional ACL under the directory {{ acl_dir }} with the name of the current host being provisioned. If this exists, it gets applied. Finally, the default deny rule is appended last.

I thought a comment at the beginning of the file would be nice to have noting when the file was last updated. gather_facts adds a lot of execution time so opted for the shell: command to get the date instead.

---
- hosts: all
  vars:
    dest_file: /etc/security/access.conf
    base_acl : base
    acl_dir  : ../group_vars/pam_access
  gather_facts: false

  tasks:
    - name: "Empty existing ACL and replace with base ACL"
      copy:
        content: ""
        dest   : "{{ dest_file }}"
        owner  : root
        group  : root
        mode   : 0644

    - name: "Get current date from shell rather than wait for gather_facts"
      shell: date '+%Y-%m-%d'
      register: date_now

    - name: "Add ansible header with modified date to beginning of file"
      copy:
        content: "# updated via ansible on {{ date_now.stdout }} by {{ lookup ('env', 'LOGNAME') }}"
        dest: "{{ dest_file }}"
        owner  : root
        group  : root
        mode   : 0644

    - name: "Add base ACL {{ acl_dir }}/base to {{ inventory_hostname }}"
      lineinfile:
        dest: "{{ dest_file }}"
        line: "{{ lookup ('file', '{{ acl_dir }}/{{ base_acl }}') }}"

    - name: "Check for additional ACL {{ acl_dir }}/{{ inventory_hostname }}..."
      stat:
        path  : "{{ acl_dir }}/{{ inventory_hostname }}"
      register: host_acl

    - name: "Add host specific ACL from {{ acl_dir }}/{{ inventory_hostname }}"
      when: host_acl.stat.exists
      lineinfile:
        dest: "{{ dest_file }}"
        line: "{{ lookup ('file', '{{ acl_dir }}/{{ inventory_hostname }}') }}"

    - name: "Add default DENY as last ACL as a security precaution"
      lineinfile:
        dest: "{{ dest_file }}"
        line: "- : ALL : ALL"

base ACL:

+ : root     : cron crond :0 ttyS0 tty1 tty2 tty3 tty4 tty5 tty6
+ : root     : 10.137.198.176
+ : inventory: 10.137.198.25
+ : sysadmin : 10.137.198.202

additional host ACL named websrv01.mydom.com:

+ : webdev   : 10.137.198.0/24
+ : passenger: 10.137.197.0/24

Related Solutions

Security – How to implement ansible with per-host passwords, securely

You've certainly done your research...

From all of my experience with ansible what you're looking to accomplish, isn't supported. As you mentioned, ansible states that it does not require passwordless sudo, and you are correct, it does not. But I have yet to see any method of using multiple sudo passwords within ansible, without of course running multiple configs.

So, I can't offer the exact solution you are looking for, but you did ask...

"So... how are people using Ansible in situations like these? Setting NOPASSWD in /etc/sudoers, reusing password across hosts or enabling root SSH login all seem rather drastic reductions in security."

I can give you one view on that. My use case is 1k nodes in multiple data centers supporting a global SaaS firm in which I have to design/implement some insanely tight security controls due to the nature of our business. Security is always balancing act, more usability less security, this process is no different if you are running 10 servers or 1,000 or 100,000.

You are absolutely correct not to use root logins either via password or ssh keys. In fact, root login should be disabled entirely if the servers have a network cable plugged into them.

Lets talk about password reuse, in a large enterprise, is it reasonable to ask sysadmins to have different passwords on each node? for a couple nodes, perhaps, but my admins/engineers would mutiny if they had to have different passwords on 1000 nodes. Implementing that would be near impossible as well, each user would have to store there own passwords somewhere, hopefully a keypass, not a spreadsheet. And every time you put a password in a location where it can be pulled out in plain text, you have greatly decreased your security. I would much rather them know, by heart, one or two really strong passwords than have to consult a keypass file every time they needed to log into or invoke sudo on a machine.

So password resuse and standardization is something that is completely acceptable and standard even in a secure environment. Otherwise ldap, keystone, and other directory services wouldn't need to exist.

When we move to automated users, ssh keys work great to get you in, but you still need to get through sudo. Your choices are a standardized password for the automated user (which is acceptable in many cases) or to enable NOPASSWD as you've pointed out. Most automated users only execute a few commands, so it's quite possible and certainly desirable to enable NOPASSWD, but only for pre-approved commands. I'd suggest using your configuration management (ansible in this case) to manage your sudoers file so that you can easily update the password-less commands list.

Now, there are some steps you can take once you start scaling to further isolate risk. While we have 1000 or so nodes, not all of them are 'production' servers, some are test environments, etc. Not all admins can access production servers, those than can though use their same SSO user/pass|key as they would elsewhere. But automated users are a bit more secure, for instance an automated tool that non-production admins can access has a user & credentials that cannot be used in production. If you want to launch ansible on all nodes, you'd have to do it in two batches, once for non-production and once for production.

We also use puppet though, since it's an enforcing configuration management tool, so most changes to all environments would get pushed out through it.

Obviously, if that feature request you cited gets reopened/completed, what you're looking to do would be entirely supported. Even then though, security is a process of risk assessment and compromise. If you only have a few nodes that you can remember the passwords for without resorting to a post-it note, separate passwords would be slightly more secure. But for most of us, it's not a feasible option.

Ansible repeating roles

the most obvious answer - use complex variables (dictionaries) to hold your values, and then pass entire variable:

- layouts:
  - layout1:
      vhost: host1.com
      db: customdb
  - layout2:
      vhost: other.com

then use those to pass over to roles:

- hosts: dbservers
  roles:
  - { role: database, layout: layouts.layout1 }
  - { role: database, layout: layouts.layout2 }

- hosts: webservers
  roles:
  - { role: webserver, layout: layouts.layout1 }
  - { role: webserver, layout: layouts.layout2 }

I've done this successfully in the past. To populate layouts you can use various techniques: combining "group_vars/all" with "vars_files" with "host_vars" etc.

Best Answer

Related Solutions

Security – How to implement ansible with per-host passwords, securely

Ansible repeating roles

Related Topic