Syslifters Handbook

English

Deutsch

English

Deutsch

Appearance

Ansible Automation Platform (AAP) audit

Red Hat Ansible Automation Platform (AAP) is a web-based control plane for Ansible: Gateway, Automation Controller, Automation Hub, and Event-Driven Ansible. During engagements it often holds high-value assets such as credentials, inventory, job output, and execution environments.

Hardening baseline

Red Hat documents secure deployment and configuration in the AAP 2.6 secure assembly and hardening guide. Use the guide that matches the customer's deployed major version when validating patch level and platform settings.

Automated audit: aap-audit

Syslifters/aap-audit collects evidence from Gateway, Controller, and Hub APIs, runs built-in checks, and writes a structured report. Use a system administrator or system auditor account.

bash
python aap_audit.py --host aap.example.com --user auditor --password "$PASSWORD" --collect-jobs --collect-collections

Manual follow-up

The script does not scan job output or collections for secrets.

With --collect-jobs, it downloads job output at debug verbosity (3+) where sensitive data often appears. Search jobs/ for keys, tokens, passwords, and JWTs; run a secret scanner such as TruffleHog.

With --collect-collections, review content for connection strings and similar.

When controller.json is present, also check STDOUT_MAX_BYTES_DISPLAY (high values expose more in the UI), ALLOW_JINJA_IN_EXTRA_VARS (always is critical; prefer never), and whether customer playbooks use no_log: true on tasks that handle secrets.

Manual testing angles

Beyond the automated checks, additional tests and audits still apply:

  • Authentication: SSO misconfiguration, local fallback accounts, session and OAuth token lifetime, MFA coverage for privileged roles.
  • Authorization: organization and team RBAC, whether org admins can see users/credentials outside their scope, API token scopes (read vs write).
  • Supply chain: who can publish to Automation Hub or git, whether execution environments pull from trusted registries, collection signing and namespace ownership.
  • Job execution: ad-hoc command allow lists, privilege escalation via extra vars / Jinja, hybrid mesh nodes executing outside the managed perimeter.
  • Information disclosure: job stdout in the UI, verbose logging, backup and support bundle exports.