Bad coding practices in playbooks
44 views
Skip to first unread message
Lucas Augusto Mota de Alcantara
Jul 18, 2020, 11:50:40 PM7/18/20
to Ansible Project
Hello everyone!
Recently, I've found an academic research about bad coding practices in
infrastructure as code scripts which can lead to security issues. I found it
interesting, but I notice that the practices the researchers pointed out aren't
specific to infrastructure as code applications, but general to any kind of
programming language or application. So I wonder if is there any specific
material available, specially to the newcomers, talking about bad practices,
specially the ones that can lead to security weaknesses.
The research was this one: https://akondrahman.github.io/papers/icse19_slic.pdf
Recently, I've found an academic research about bad coding practices in
infrastructure as code scripts which can lead to security issues. I found it
interesting, but I notice that the practices the researchers pointed out aren't
specific to infrastructure as code applications, but general to any kind of
programming language or application. So I wonder if is there any specific
material available, specially to the newcomers, talking about bad practices,
specially the ones that can lead to security weaknesses.
The research was this one: https://akondrahman.github.io/papers/icse19_slic.pdf
Vladimir Botka
Jul 19, 2020, 3:32:20 AM7/19/20
to Lucas Augusto Mota de Alcantara, ansible...@googlegroups.com
On Sat, 18 Jul 2020 20:50:39 -0700 (PDT)
Lucas Augusto Mota de Alcantara <la...@cin.ufpe.br> wrote:
> is there any specific material available, specially to the newcomers,
> talking about bad practices, specially the ones that can lead to security
> weaknesses.
See the links which address the weaknesses listed in the paper
Lucas Augusto Mota de Alcantara <la...@cin.ufpe.br> wrote:
> is there any specific material available, specially to the newcomers,
> talking about bad practices, specially the ones that can lead to security
> weaknesses.
* admin by default
"Understanding privilege escalation"
https://docs.ansible.com/ansible/latest/user_guide/become.html#understanding-privilege-escalation-become
* empty password; hard-coded secret
"Ansible Vault"
https://docs.ansible.com/ansible/latest/user_guide/vault.html#ansible-vault
* invalid IP address binding
"ipaddr filter"
https://docs.ansible.com/ansible/devel/user_guide/playbooks_filters_ipaddr.html#ipaddr-filter
* suspicious comment
"Ansible Lint"
https://docs.ansible.com/ansible-lint/#ansible-lint-documentation
* use of HTTP without TLS
"Connection Plugins"
https://docs.ansible.com/ansible/latest/plugins/connection.html#connection-plugins
* and use of weak cryptography algorithms
"OpenSSH"
https://www.openssh.com/
Then might want to proceed to "SCAP"
https://www.open-scap.org/security-policies/scap-security-guide/
--
Vladimir Botka
Lucas Augusto Mota de Alcantara
Jul 19, 2020, 1:28:43 PM7/19/20
to Ansible Project
Thank you for the links! It's not exactly
what I was looking for, but it's very useful anyway. My question is if
is there others bad practices that are more related to infrastructure as
code scripts or to Ansible's
Playbook. Is there any kind of special care we should take when working
with this kind of code or is it just the same as general web
applications?
Reply all
Reply to author
Forward
0 new messages