Increasing Ansible Security

30 minutes
  • 6 Learning Objectives

About this Hands-on Lab

Being able to use Ansible to secure your nodes is an in-demand skill, and understanding how to use playbooks for security is excellent knowledge to have.

This value is shown by the fact that it is one of the objectives of the *Red Hat Certified Ansible Specialist* exam.

In this hands-on lab, we will make use of the various modules to help secure your nodes in a reproducible manner.

This hands-on lab is not meant to be an exhaustive example of security; instead it showcases ways to enhance your nodes security.

**Note:** Ansible has been set up and configured for use on the Control server and two nodes. This will save you time when doing the hands-on lab.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Log in to the Ansible Control Node Server and Change to the `ansible` User
  1. Sign in to the Ansible Control Node server using the cloud_user credentials, and change to the ansible user.
  2. Test that Ansible is working:

    ansible all -m ping

    Note: It may take several minutes after the start of the lab, for the test to work as expected.

Use an Ad Hoc Ansible Command to Check the Uptime on All the Nodes
  1. Show the uptime on all the servers:

    ansible all -a /usr/bin/uptime
Create a Playbook Called `selinux-check.yml`and Ensure SELinux Is Enabled on All Nodes
  1. Use the selinux module and create a playbook called selinux-check.yml:

    vim selinux-check.yml
  2. Check the playbook, ensuring all the nodes have SELinux installed and that it’s set to enabled on all nodes.

Note: More information about the selinux module can be found here: https://docs.ansible.com/ansible/latest/modules/selinux_module.html

Test the Playbook `selinux-check.yml` to Ensure It Works
  1. Test the playbook selinux-check.yml against all the nodes and ensure there are no errors:

    ansible-playbook selinux-check.yml
Create a Playbook Called `firewalld.yml` and Verify the Installation of `firewalld`
  1. Use the firewalld module (and any other modules as required) in a playbook called firewalld.yml to ensure firewalld is installed, enabled, and started on all the nodes.

Note: More information about the firewalld module can be found here: https://docs.ansible.com/ansible/latest/modules/firewalld_module.html?highlight=firewalld

Test the `firewalld.yml` Playbook and Verify Task Completion
  1. Test the playbook and ensure that firewalld is installed, enabled, and started on each of the nodes:

    sudo systemctl status firewalld

Additional Resources

You recently joined an organization, and find out that security on the servers could be better than it currently is. Your manager agrees and has tasked you with performing some security-related tasks on all the nodes under control of Ansible.

In this hands-on lab, we will make use of the various modules to help secure your nodes in a reproducible manner. This hands-on lab is not meant to be an exhaustive example of security; instead, it showcases a couple of items to enhance your nodes security.

To summarize, perform the following security-related tasks:

  1. Find the uptime of all the Ansible nodes using an Ansible ad-hoc command.
  2. Create a playbook called selinux-check.yml and use it to check all the nodes for the status of SELinux. SELinux should get set to an enforcing so you should ensure all nodes get set correctly.
  3. Using a playbook called firewalld.yml, ensure that firewalld gets installed on all the nodes.

Here are some important things to consider when completing each task:

  • For your convenience, Ansible is already on the control node. If you connect to the server by clicking on the Public IP address in your browser, make sure to change to the ansible user with the su - ansible command.
  • The user ansible is present on all servers with appropriate shared keys for access to managed servers from the control node. Make sure to use this user to complete the commands.
  • The ansible user has the same password as cloud_user.
  • The default Ansible inventory has been configured for you with the appropriate hosts and groups.
  • /etc/hosts entries are present on control1 for the managed servers.

For detailed instructions on how to complete these tasks, expand each learning objective below, or click the Guide tab above the video player.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


$2,495.00

Checkout
Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!