Ansible is allowing me to control some devices, so what can I do with it to improve security on my Pi network?
Raspbian has a function called chage that lets you see when an account last had it’s password changed. To use it type:
chage -l USERACCOUNT
e.g. for my Pi user account this would be chage -l pi
By default Raspbian doesn’t have a password expiration date set on accounts. It can be set using:
chage -M DAYS_PASSWORD_IS_VALID USERACCOUNT
e.g. for my Pi user account and a validity period of 365 days this would be chage -M 365 pi
Note: -M and -m are different. -M is the maximum days of validity, -m is the minimum days of validity.
When setting a password validity period it is recommended to set a warning period as well, so that the user is notified that their password is about to expire. This is done via:
chage -W DAYS_BEFORE_PASSWORD_EXPIRATION USERACCOUNT
e.g. to warn my Pi user 3 days before their password expires would be chage -W 3 pi
So chage allows for a password policy to be created for a user account, but what happens if an account has been compromised? chage also lets you lock an account.
chage -E DATE_TO_LOCK_ACCOUNT_FROM USERACCOUNT
So if I thought my Pi user had been hi-jacked today (28th June 2019) I would run:
chage -E 2019-06-28 pi
You may be wondering what this has to do with ansible. Imagine you have multiple devices with an account on each, and the account has been hacked. Ansible would only you to lock out the account on all the devices using one command, with for my Pi_Collection (see the earlier ansible blog posts for details) would be:
ansible Pi_Collection -a “chage -E 2019-06-28 pi” -b
Open Ports (netstat)
I once wrote a port scanner in Python, but as ansible can already connect to the devices it can show all the open ports and their statuses.
This uses the shell module to send the netstat command. Running against my Pi_Collection this is:
ansible Pi_Collection -m shell -a “netstat -plntu” -b
In an earlier blog post I looked at installing a firewall called UFW and configuring UFW. Both great for an individual system, but once I started looking at ansible I decided to see if I could do the install across multiple sites using a playbook.
And ansible can then be used to check the status of the firewall using ansible Pi_Collection -m shell -a “ufw status” -b.