Ansible Config Exposure
Description
Detects publicly accessible Ansible configuration files.
Remediation
To remediate an Ansible configuration exposure, follow these steps:
- Identify and secure exposed Ansible configuration files (e.g.,
ansible.cfg) by setting proper file permissions (e.g.,chmod 600 ansible.cfg). - Rotate any credentials or secrets that may have been compromised due to the exposure.
- Use Ansible Vault to encrypt sensitive variables and files, or store secrets in a secure secrets management tool.
- Review and update
.gitignoreor equivalent in your version control system to prevent accidental commits of sensitive files. - Implement access controls and audit logs to monitor access to Ansible configurations and sensitive data.
- Regularly review and audit your Ansible playbooks and roles for hard-coded sensitive data and remove them.
- Conduct security training for team members to prevent future misconfigurations or exposures.
- If using a public repository, consider changing its status to private or ensure no sensitive data is pushed to it.
Configuration
Identifier:
information_disclosure/ansible_config_exposure
Examples
Ignore this check
checks:
information_disclosure/ansible_config_exposure:
skip: true
Score
- Escape Severity: MEDIUM
Compliance
OWASP: API8:2023
pci: 2.2.2
gdpr: Article-32
soc2: CC6
psd2: Article-95
iso27001: A.12.6
nist: SP800-123
fedramp: AC-6
Classification
- CWE: 200