Ansible Config Exposure¶
Description¶
Detects publicly accessible Ansible configuration files.
Remediation¶
To remediate an Ansible configuration exposure, follow these steps:
- Identify and secure exposed Ansible configuration files (e.g.,
ansible.cfg
) by setting proper file permissions (e.g.,chmod 600 ansible.cfg
). - Rotate any credentials or secrets that may have been compromised due to the exposure.
- Use Ansible Vault to encrypt sensitive variables and files, or store secrets in a secure secrets management tool.
- Review and update
.gitignore
or equivalent in your version control system to prevent accidental commits of sensitive files. - Implement access controls and audit logs to monitor access to Ansible configurations and sensitive data.
- Regularly review and audit your Ansible playbooks and roles for hard-coded sensitive data and remove them.
- Conduct security training for team members to prevent future misconfigurations or exposures.
- If using a public repository, consider changing its status to private or ensure no sensitive data is pushed to it.
Configuration¶
Identifier:
information_disclosure/ansible_config_exposure
Examples¶
Ignore this check¶
Score¶
- Escape Severity:
Compliance¶
- OWASP: API8:2023
- OWASP LLM: LLM06:2023
- pci: 2.2.2
- gdpr: Article-32
- soc2: CC6
- psd2: Article-95
- iso27001: A.12.6
- nist: SP800-123
- fedramp: AC-6
Classification¶
- CWE: 200
Score¶
- CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CVSS_SCORE: 2.0