I’m working on finalizing an implementation of an ansible poc for a new
project, and as part of this poc our security team has asked for a minimal
sudoers configuration for the ansible automation user.
I’m currently using a “anything anywhere” type configuration, but looking
at sudo logs I don’t believe I need this. Is there a project recommended
minimal configuration for sudoers to allow only ansible commands? Browsing the
documentation and mailing list nothing stood out, but maybe I missed it.
In any case, it’s usually not something valuable for the security team to enforce, because it also means you wouldn’t be able to install any packages (they contain %post scripts), use the shell module, or use the command module — because all of these would be able to run arbitrary commands.
We’d recommend using a specific user or key with Ansible, and controlling who gets that key, and constraining sudo differently (less) for them.
Further, use of Ansible Tower can keep the SSH private keys known only to admins and Tower, allowing people to be easily removed from the system without rekeying any of the remote hosts.
By comparison, it may also be useful to inform your security team that many other tools actually require full root level agents, so Ansible is one of the few options with a really strong sudo implementation (and su is also supported).
I’d recommend talking to them about how you can protect keys with Tower if needed, and also not give full access to users logging in normally.