Ansible Tower Exposed To Internet
- Query id: 1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc
- Query name: Ansible Tower Exposed To Internet
- Platform: Ansible
- Severity: Medium
- Category: Best Practices
- CWE: 668
- URL: Github
Description¶
Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - ini file
[tower]
150.50.1.1
[automationhub]
automationhub.acme.org
[database]
database-01.acme.org
[all:vars]
admin_password='<password>'
pg_host='database-01.acme.org'
pg_port='5432'
pg_database='awx'
pg_username='awx'
pg_password='<password>'
pg_sslmode='prefer'
Positive test num. 2 - yaml file
all:
children:
automationhub:
hosts:
automationhub.acme.org:
admin_password: <password>
pg_database: awx
pg_host: database-01.acme.org
pg_password: <password>
pg_port: '5432'
pg_sslmode: prefer
pg_username: awx
database:
hosts:
database-01.acme.org:
admin_password: <password>
pg_database: awx
pg_host: database-01.acme.org
pg_password: <password>
pg_port: '5432'
pg_sslmode: prefer
pg_username: awx
tower:
hosts:
139.50.1.1:
admin_password: <password>
pg_database: awx
pg_host: database-01.acme.org
pg_password: <password>
pg_port: '5432'
pg_sslmode: prefer
pg_username: awx
ungrouped: {}
Code samples without security vulnerabilities¶
Negative test num. 2 - yaml file
all:
children:
automationhub:
hosts:
automationhub.acme.org:
admin_password: <password>
pg_database: awx
pg_host: database-01.acme.org
pg_password: <password>
pg_port: '5432'
pg_sslmode: prefer
pg_username: awx
database:
hosts:
database-01.acme.org:
admin_password: <password>
pg_database: awx
pg_host: database-01.acme.org
pg_password: <password>
pg_port: '5432'
pg_sslmode: prefer
pg_username: awx
tower:
hosts:
172.27.0.5:
admin_password: <password>
pg_database: awx
pg_host: database-01.acme.org
pg_password: <password>
pg_port: '5432'
pg_sslmode: prefer
pg_username: awx
ungrouped: {}