Thank you for the links! It's not exactly what I was looking for, but it's very useful anyway. My question is if is there others bad practices that are more related to infrastructure as code scripts or to Ansible's Playbook. Is there any kind of special care we should take when working with this kind of code or is it just the same as general web applications?
Em domingo, 19 de julho de 2020 às 04:32:20 UTC-3, Vladimir Botka escreveu: > On Sat, 18 Jul 2020 20:50:39 -0700 (PDT) > Lucas Augusto Mota de Alcantara <[email protected]> wrote: > > > is there any specific material available, specially to the newcomers, > > talking about bad practices, specially the ones that can lead to security > > weaknesses. > > See the links which address the weaknesses listed in the paper > > * admin by default > "Understanding privilege escalation" > > https://docs.ansible.com/ansible/latest/user_guide/become.html#understanding-privilege-escalation-become > > * empty password; hard-coded secret > "Ansible Vault" > https://docs.ansible.com/ansible/latest/user_guide/vault.html#ansible-vault > > * invalid IP address binding > "ipaddr filter" > > https://docs.ansible.com/ansible/devel/user_guide/playbooks_filters_ipaddr.html#ipaddr-filter > > * suspicious comment > "Ansible Lint" > https://docs.ansible.com/ansible-lint/#ansible-lint-documentation > > * use of HTTP without TLS > "Connection Plugins" > > https://docs.ansible.com/ansible/latest/plugins/connection.html#connection-plugins > > * and use of weak cryptography algorithms > "OpenSSH" > https://www.openssh.com/ > > Then might want to proceed to "SCAP" > https://www.open-scap.org/security-policies/scap-security-guide/ > > -- > Vladimir Botka > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/19c8c1f1-cec8-4eb6-8a71-b0a6184026f2n%40googlegroups.com.
