Automation & Orchestration Cloud Security

Ansible Security Automation: Infrastructure Hardening at Scale

January 11, 2026

Ansible enables security automation at scale, allowing teams to implement consistent security configurations across thousands of servers. From OS hardening to compliance enforcement, Ansible playbooks codify security best practices and ensure they are applied uniformly.

Security automation with Ansible reduces human error, ensures consistency, and enables rapid response to vulnerabilities. This guide covers implementing security hardening, compliance checks, and incident response automation.

OS Hardening Playbook

---
- name: Security Hardening
  hosts: all
  become: yes
  tasks:
    - name: Disable root login
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^PermitRootLogin"
        line: "PermitRootLogin no"
      notify: restart sshd

    - name: Set password policy
      lineinfile:
        path: /etc/security/pwquality.conf
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
      loop:
        - { regexp: "^minlen", line: "minlen = 14" }
        - { regexp: "^dcredit", line: "dcredit = -1" }
        - { regexp: "^ucredit", line: "ucredit = -1" }

    - name: Configure firewall
      ufw:
        rule: allow
        port: "{{ item }}"
        proto: tcp
      loop:
        - "22"
        - "443"

    - name: Enable firewall
      ufw:
        state: enabled
        policy: deny

CIS Benchmark Compliance

- name: CIS Benchmark Compliance
  hosts: all
  tasks:
    - name: Ensure permissions on /etc/passwd
      file:
        path: /etc/passwd
        owner: root
        group: root
        mode: "0644"

    - name: Disable unused filesystems
      copy:
        dest: /etc/modprobe.d/CIS.conf
        content: |
          install cramfs /bin/true
          install freevxfs /bin/true
          install jffs2 /bin/true
          install hfs /bin/true
          install hfsplus /bin/true

Secrets Management

# Encrypt secrets with Ansible Vault
ansible-vault encrypt secrets.yml

# Use in playbook
- name: Deploy application
  hosts: app_servers
  vars_files:
    - secrets.yml
  tasks:
    - name: Configure database
      template:
        src: db_config.j2
        dest: /etc/app/database.yml
        mode: "0600"

Vulnerability Remediation

- name: Patch Critical Vulnerabilities
  hosts: all
  tasks:
    - name: Update all packages
      apt:
        upgrade: dist
        update_cache: yes
      when: ansible_os_family == "Debian"

    - name: Reboot if required
      reboot:
        msg: "Rebooting for kernel update"
      when: reboot_required.stat.exists

Compliance Reporting

- name: Generate Compliance Report
  hosts: all
  tasks:
    - name: Check SSH configuration
      shell: sshd -T | grep -E "permitrootlogin|passwordauthentication"
      register: ssh_config
      changed_when: false

    - name: Save report
      local_action:
        module: copy
        content: "{{ ssh_config.stdout }}"
        dest: "reports/{{ inventory_hostname }}.txt"

Best Practices

  • Use Ansible Vault for secrets
  • Implement idempotent playbooks
  • Test in staging before production
  • Use roles for reusable security configs
  • Version control all playbooks
  • Implement change management
  • Generate compliance reports
  • Schedule regular security scans
  • Use check mode for dry runs
  • Document all security playbooks

Conclusion

Ansible security automation enables consistent, scalable security hardening across your infrastructure. By codifying security configurations and compliance checks, you reduce risk and ensure rapid response to vulnerabilities.

Related Posts: