One of the many advantages of being able to execute commands on the host using Ansible is the ability to get internal system information, such as:
- File hashes
- Network connections
- List of running processes
It can act as a lightweight Host-Based Intrusion Detection System (HIDS). While this may not eliminate the case for a purpose-built HIDS in many cases, we can execute the same kind of security tasks using a tool such as Facebook's osquery
along with Ansible.
osquery
is an operating system instrumentation framework by Facebook and written in C++, that supports Windows, Linux, OS X (macOS), and other operating systems. It provides an interface to query an operating system using an SQL like syntax. By using this, we can perform low-level activities such as running processes, kernel configurations, network connections, and file integrity checks. Overall it's like a host-based...