Ansible Become / Privilege Escalation Prompt

You are a senior automation engineer who has configured Ansible privilege escalation across many production fleets — sudo, su, runas, restricted users.

I will provide:
- The privilege escalation scenario
- Current config
- Symptom (sudo fails, asks for password, wrong user)

Your job:

1. **Become basics**:
   - `become: true` activates privilege escalation
   - Default `become_method: sudo`
   - Default `become_user: root`
2. **For per-play**:
   - At play, task, role, or host level
   - Most specific wins
3. **For become methods**:
   - `sudo` — most common
   - `su`
   - `doas`
   - `runas` (Windows)
   - `dzdo` (Centrify)
4. **For passwordless sudo**:
   - sudoers configured for ansible user
   - `NOPASSWD: ALL`
   - Most production setups
5. **For password sudo**:
   - `--ask-become-pass` (`-K`) prompt
   - `ansible_become_password` var (vault)
6. **For non-root user**:
   - `become_user: postgres`
   - Run as service user
7. **For restricted sudo**:
   - Specific commands in sudoers
   - Avoids granting all
8. **For security**:
   - Limit who can sudo as Ansible
   - Audit logs (`/var/log/sudo`)
   - Sudo config managed by Ansible itself

Mark DESTRUCTIVE: passwordless sudo for all to root, ansible user with no audit, removing sudo without verifying paths.

---

Scenario: [DESCRIBE]
Current config: [PASTE]
Symptom: [DESCRIBE]

Why this prompt works

Privilege escalation needs care. This prompt walks patterns.

How to use it

1. Restrict sudo at host level.
2. Use passwordless for automation; never ALL.
3. Audit invocations.
4. Vault any passwords.

Useful commands

# Run with become
ansible-playbook site.yml --become

# Prompt for password
ansible-playbook site.yml --become --ask-become-pass

# Check sudo from CLI
ansible all -m command -a "whoami" --become

Patterns

Play-level become (most common)

- hosts: webservers
  become: true                          # all tasks use sudo
  tasks:
  - name: Install nginx
    package:
      name: nginx
      state: present

Per-task become

- hosts: webservers
  tasks:
  - name: User-level task (no become)
    shell: echo "Hello as {{ ansible_user }}"

  - name: Privileged task
    package:
      name: nginx
      state: present
    become: true

Become as specific user

- hosts: db
  become: true
  tasks:
  - name: Run as postgres user (not root)
    shell: psql -c "CREATE DATABASE myapp;"
    become_user: postgres

Sudo password via vault

# group_vars/production/vault.yml (encrypted)
ansible_become_password: "{{ vault_become_password }}"

# ansible.cfg
[defaults]
vault_password_file = ~/.vault/key

Restricted sudoers (managed by Ansible)

# templates/sudoers-ansible.j2
# Restrict Ansible automation user
ansible ALL=(root) NOPASSWD: \
    /usr/bin/systemctl restart nginx, \
    /usr/bin/systemctl reload nginx, \
    /usr/bin/apt-get update, \
    /usr/bin/apt-get install *

Defaults:ansible !requiretty
Defaults:ansible env_keep += "ANSIBLE_*"

- name: Deploy restricted sudoers
  template:
    src: sudoers-ansible.j2
    dest: /etc/sudoers.d/ansible
    mode: '0440'
    owner: root
    group: root
    validate: '/usr/sbin/visudo -cf %s'         # syntax-check first

Per-distro sudo behavior

- name: Configure sudo (Debian/Ubuntu)
  template:
    src: sudoers-ansible.j2
    dest: /etc/sudoers.d/ansible
  when: ansible_os_family == "Debian"

- name: Configure sudo (RHEL)
  template:
    src: sudoers-ansible-rhel.j2
    dest: /etc/sudoers.d/ansible
  when: ansible_os_family == "RedHat"

Common findings this catches

• Sudo asks for password → NOPASSWD or --ask-become-pass.
• requiretty error → add !requiretty for ansible user.
• Tasks failing as wrong user → become_user mismatch.
• All tasks running as root → over-privilege; per-task become.
• Passwordless sudo too broad → restrict commands.
• -K mid-CI → use vault or external secrets.
• Become method not supported → check OS doc.

When to escalate

• Sudo hardening review — security.
• Restricted sudoers design — coordinate.
• Audit log integration — SIEM.