Ansible – Looking At Basic Security (Raspberry Pi)

Ansible and netstat

Ansible is allowing me to control some devices, so what can I do with it to improve security on my Pi network?

Note: This post forms part of the my collection of posts on Ansible including installation; SSH set-up and the basics of a playbook/commands.


Chage shows when an accounts password was last changed

Raspbian has a function called chage that lets you see when an account last had it’s password changed. To use it type:


e.g. for my Pi user account this would be chage -l pi

By default Raspbian doesn’t have a password expiration date set on accounts. It can be set using:


e.g. for my Pi user account and a validity period of 365 days this would be  chage -M 365 pi

Note: -M and -m are different. -M is the maximum days of validity, -m is the minimum days of validity.

When setting a password validity period it is recommended to set a warning period as well, so that the user is notified that their password is about to expire. This is done via:


e.g. to warn my Pi user 3 days before their password expires would be chage -W 3 pi

So chage allows for a password policy to be created for a user account, but what happens if an account has been compromised? chage also lets you lock an account.


So if I thought my Pi user had been hi-jacked today (28th June 2019) I would run:

chage -E 2019-06-28 pi

You may be wondering what this has to do with ansible. Imagine you have multiple devices with an account on each, and the account has been hacked. Ansible would only you to lock out the account on all the devices using one command, with for my Pi_Collection (see the earlier ansible blog posts for details) would be:

ansible Pi_Collection -a “chage -E 2019-06-28 pi” -b

Open Ports (netstat)

I once wrote a port scanner in Python, but as ansible can already connect to the devices it can show all the open ports and their statuses.

Ansible and netstat

This uses the shell module to send the netstat command. Running against my Pi_Collection this is:

ansible Pi_Collection -m shell -a “netstat -plntu” -b


In an earlier blog post I looked at installing a firewall called UFW and configuring UFW. Both great for an individual system, but once I started looking at ansible I decided to see if I could do the install across multiple sites using a playbook.

Ansible and UFW
# geektechstuff UFW playbook to install firewall
– hosts: Pi_Collection
– name: Install UFW
become: yes
– ufw
state: present
update_cache: yes
– name: UFW Logging On
become: yes
logging: on
– name: UFW Allow Local Traffic
become: yes
rule: allow
– name: Turn UFC on
become: yes
state: enabled
policy: allow

And ansible can then be used to check the status of the firewall using ansible Pi_Collection -m shell -a “ufw status” -b.

Ansible shell to check UFW status