Ansible Tower Exposed To Internet

  • Query id: 1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc
  • Query name: Ansible Tower Exposed To Internet
  • Platform: Ansible
  • Severity: Medium
  • Category: Best Practices
  • CWE: 668
  • URL: Github

Description

Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - ini file
[tower]
150.50.1.1
[automationhub]
automationhub.acme.org
[database]
database-01.acme.org
[all:vars]
admin_password='<password>'
pg_host='database-01.acme.org'
pg_port='5432'
pg_database='awx'
pg_username='awx'
pg_password='<password>'
pg_sslmode='prefer'
Positive test num. 2 - yaml file
all:
  children:
    automationhub:
      hosts:
        automationhub.acme.org:
          admin_password: <password>
          pg_database: awx
          pg_host: database-01.acme.org
          pg_password: <password>
          pg_port: '5432'
          pg_sslmode: prefer
          pg_username: awx
    database:
      hosts:
        database-01.acme.org:
          admin_password: <password>
          pg_database: awx
          pg_host: database-01.acme.org
          pg_password: <password>
          pg_port: '5432'
          pg_sslmode: prefer
          pg_username: awx
    tower:
      hosts:
        139.50.1.1:
          admin_password: <password>
          pg_database: awx
          pg_host: database-01.acme.org
          pg_password: <password>
          pg_port: '5432'
          pg_sslmode: prefer
          pg_username: awx
    ungrouped: {}

Code samples without security vulnerabilities

Negative test num. 1 - ini file
[tower]
172.27.0.2
172.27.0.3
172.27.0.4
Negative test num. 2 - yaml file
all:
  children:
    automationhub:
      hosts:
        automationhub.acme.org:
          admin_password: <password>
          pg_database: awx
          pg_host: database-01.acme.org
          pg_password: <password>
          pg_port: '5432'
          pg_sslmode: prefer
          pg_username: awx
    database:
      hosts:
        database-01.acme.org:
          admin_password: <password>
          pg_database: awx
          pg_host: database-01.acme.org
          pg_password: <password>
          pg_port: '5432'
          pg_sslmode: prefer
          pg_username: awx
    tower:
      hosts:
        172.27.0.5:
          admin_password: <password>
          pg_database: awx
          pg_host: database-01.acme.org
          pg_password: <password>
          pg_port: '5432'
          pg_sslmode: prefer
          pg_username: awx
    ungrouped: {}