Hi, We have a Cardholder Data Environment which is in scope for PCI compliance, and we intend to manage the environment using Ansible.
I've read a few articles which suggest that using Ansible is a Good Thing for PCI compliance, as it keeps the environment consistent and prevents deviations from the desired state etc. However, section 8.5 of the (version 3.2) PCI DSS guidelines requires that: * Generic user IDs are disabled or removed. * Shared user IDs do not exist for system administration and other critical functions. * Shared and generic user IDs are not used to administer any system components. This conflicts with the way we (and I expect many other organisations) would normally use Ansible (i.e. with its own user account for ssh access to every managed host, with privileged access via sudo) since this provides generic administrative access to anyone who can su to the ansible user. I've been trying to think of various ways to satisfy the PCI requirement, but I haven't managed to find anything that works yet. Some things I've considered: * Disallow TTY allocation, so users can't log in to managed hosts after switching to the ansible user. * Set a login shell to /bin/nologin or /bin/false on managed hosts. Clearly Ansible requires an interactive login in order to function correctly. Another approach might be to remove the ansible user altogether, and ensure individual user accounts have sufficient privileges to run ansible playbooks. This might be a viable solution, but I was also wondering if any other Ansible users have managed to find A Better Way, or approach things from a different angle? Thanks, Simon. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/156f2fd3-ca3d-485d-a411-4a48e90687a4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
