Thanks Duncan. That's pretty much the way we have our setup at the moment. There's an ssh key, and a sudo su command, and another ssh key passphrase to get past before anyone can run any playbooks. So I think that satisfies the two-factor authentication requirement for CDEs.
The problem I can see though, is that by necessity a handful of people are able to switch to the ansible user. Once they do that, they can hop onto any other machine as that user and do Terrible Things - and if all those people happened to be logged in to the ansible host at the same time, it would be difficult to identify with any certainty who had done what. And since the ansible host also manages itself, it would be reasonably easy to erase any audit logs on that machine as well, just for good measure. I'm pretty sure this would fail a PCI audit. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/814279bb-eee1-4fa2-a40f-4037d7439ff8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
