1

We have Ansible in place

I want to set up audit which logs who executes a play.. I want therefore only monitor the execution of the command ansible or ansible-playbook.

I can configure Ansible to log all command using this: 

-a exit,always -F arch=b32 -S execve -k ansible
-a exit,always -F arch=b64 -S execve -k ansible

but that causes too much noise.

How can auditing the use of ansible and ansible-playbook be achieved..

Note: I know that ansible-playbook is a Python script so the command to look after is perhaps the python command?

kenlukas
  • 3,101
  • 2
  • 16
  • 26
zn553
  • 11
  • 2

1 Answers1

1

Native to Ansible, you can use its built in logging of tasks to syslog, and callback plugins that can send to a variety of destinations. Including custom plugins, which is how the addon ARA records Ansible history.

Remote systems do not always exec ansible-playbook. Module code is copied, for Python modules with Ansiballz. Only temporary files or stdin pipes are executed.

Edit: note that non-Python Ansible modules are technically possible but rare. Watching python execs won't catch the dedicated Ansible user who made Perl or Go modules.

Linux auditd is limited in that the exe you can filter on is the interpreter binary (python) and not the script (ansible-playbook). Filter to the system python and you see all the python scripts on the system run. Have an Ansible specific python (virtualenv) and still nothing prevents other things (ansible-inventory) from using this python.

You can filter audit events to a specific user, useful if you only ever run plays as that user.

Edit: auditd is good at tracking privilege escalation in general. If this is something you want to closely track, have a look at the example rules in the audit-userspace source code. For example, the pci-dss "All elevation of privileges is logged" rule.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34
  • here is the deal. we are in a secure environment. we need to keep track who executes what. per instance we have an ansible playbook who pushes a sudoers file. we need to track the user who launches the playbook to spot unauthorized usage. What would be the best way to monitor this. – zn553 Jul 15 '19 at 10:42
  • Ansible can exec any binary on the remote, and you say you don't want to log everything. Use ansible's syslog or callback logging to track what tasks run, and auditd to track privilege escalation. See my edit. – John Mahowald Jul 15 '19 at 11:56
  • I think your audit about elevation might do the trick.. I do not mind what gets executed on the remote hosts but who executed a playbook on the ansible node and per instance pushes a sudoers file that breaks privileges.. I was just looking somehow to limit the scope of the audit rules to only trace ansible processes or playbooks. – zn553 Jul 15 '19 at 12:53