Hi all,
I’m looking for a way to enforce restrictions on what operations Ansible is allowed to execute on target nodes, and prevent certain potentially dangerous or unauthorized operations ( shell commands or other Python-based task operation) from being run, even if they are included in a playbook or role.
What I’ve tried so far:
- sudoers or shell wrappers etc.: Ansible uses temporary Python files and modules to execute tasks, which makes this option to not work at all. Temporary files bypass traditional command auditing or whitelisting mechanisms.
- whitelisting command patterns (in ssh), like:
‘/bin/sh -c ‘"’"’/usr/bin/python /home/USERNAME/.ansible/tmp/ansible-tmp-NUM.NUM-NUM-NUM/AnsiballZ_TASKNAME.py && sleep 0’“'”‘’
- This still doesn’t solve the discoverability issue, as the actual commands / operations inside this python files do not undergo any filter.
Is there a way to intercept or filter commands before Ansible executes them?
Can I hook into Ansible’s execution pipeline to validate or block certain commands / operations ?
Are there any plugins, modules, or best practices for enforcing command-level policies?
Or is command-level filtering not recommended, and in that case what Ansible-compatible security restrictions exist?
Any ideas, or examples would be appreciated!
Thanks in advance,
Gunjan