Richard Chamberlain

Posted on Oct 20

Getting Started with Ansible: Automation Meets Cybersecurity

#linux #ansible #cybersecurity #automation

Ansible Setup

In this article, I will walk you through setting up the Ansible Control server.

In future articles,we will create Ansible playbooks to deploy Zero Trust Access (ZTA) principles across my home lab environment.

So, what exactly is Ansible?

Table of content:

What is Ansible
The Chicken-and-Egg Problem
Building the Control Server
Getting Hostnames Using Ansible

What is Ansible

Ansible is an automation tool used to execute tasks on remote servers. It relies on YAML-formatted files, known as Playbooks, to define these tasks, which are then pushed and executed on the remote servers using SSH.

At its core, a Playbook is a simple list of tasks that are run against a set of servers by a specified user.

Where to Start: The Chicken-and-Egg Problem

Setting up the Ansible Control server with Zero Trust Access (ZTA) in mind requires a few additional steps:

Creating a VLAN for the Ansible server
Configuring the network settings on the Ansible server
Setting firewall rules to allow access
Creating and managing users for the Ansible server
And a few other tasks along the way

The big question is: Do I set everything up manually, including ZTA changes, or do I first set up a basic Ansible server and use it to automate the migration to a ZTA model?

Time to build

Building the Control Server

I have decided to go with the latter approach since it aligns with the philosophy of building cybersecurity into the process from the start. Here is how I set up the Ansible Control server on a fresh installation of Oracle Linux 9.

Step 1: Install Ansible on Oracle Linux 9

First, ensure your system is up to date:

# Check for updates first  
sudo dnf update

Next, install Ansible:

# Install Ansible  
sudo dnf install ansible

To confirm the installation, run the following command:

# Test if Ansible is installed  
ansible

Step 2: Add an Ansible Admin User

We need to create an admin user for Ansible:

# Create a user with sudo privileges for Ansible on remote servers
sudo useradd ansible_admin

Step 3: Grant Sudo Access to the Ansible User

To allow the ansible_admin user to run commands with sudo privileges without entering a password, we will modify the sudoers file. Depending on the system, hereis where you can find the file:

OPNsense: /usr/local/etc/sudoers
RHEL, Debian: /etc/sudoers

Add the following line near the bottom of the file:

## Grant sudo access without a password to the Ansible user  
ansible_admin ALL=(ALL) NOPASSWD: ALL

Note:

In the future, I'll be setting up multiple Ansible users with more granular permissions to enhance server security.

4: Create the Ansible Hosts File

The Ansible hosts file defines the servers you want to manage. There are several places where you can store this file, but I'll use the main configuration:

# Edit the main hosts file  
sudo nano /etc/ansible/hosts

Below is the content I used for my setup:

[firewall]  
# OPNsense Firewall  
Firewall  

[proxmox]  
# Proxmox VE and Backup Server  
PVE  
PBS  

[nas]  
# Orange Pi NAS  
NAS  

[ansible_node]  
# Local Control Node  
control_node

Now That the Build is Complete, Let's Test It Out

Getting Hostnames Using Ansible

With Ansible installed and the servers configured, let's test it by running a simple playbook that gathers the hostname and OS type from all the connected servers.

Step 1: Create the Ansible Playbook

Start by creating a new file called system_info.yml:

   nano system_info.yml

Add the following lines to the file and save:

   ---  
   - name: Gather hostname and OS type from all hosts  
     hosts: all  
     gather_facts: yes  
     tasks:  
       - name: Get hostname and OS type  
         ansible.builtin.debug:  
           msg: "Host: {{ ansible_hostname }}, OS: {{ ansible_os_family }}"

Step 2: Run the Playbook

To execute the playbook, use the following command:

ansible-playbook system_info.yml

Step 3: Review the Output

Ansible can be quite verbose, but the key part of the output will look like this:

TASK [Get hostname and OS type] **********************************************************************************************************************************************
ok: [firewall] => {  
    "msg": "Host: firewall, OS: FreeBSD"  
}  
ok: [pve] => {  
    "msg": "Host: pensask, OS: Debian"  
}  
ok: [pbs] => {  
    "msg": "Host: bkp1, OS: Debian"  
}  
ok: [ansible] => {  
    "msg": "Host: stock, OS: RedHat"  
}  
ok: [samba] => {  
    "msg": "Host: orangepi5plus, OS: Debian"  
}

Step 4: Final Thoughts

Some of the hostnames could use a bit of work, but no worries-Ansible can help streamline those details later. This playbook confirms that the servers are reachable and that Ansible is properly configured to gather system information from all the hosts.

With Ansible up and running, the next step is to start adding additional layers of security to the remote servers using Ansible. Stay tuned-there's more to come!

Ansible is a powerful automation tool that simplifies complex tasks, making server management more efficient. If you had an automation tool like Ansible, what tasks would you automate?

DEV Community