Context

Despite being beneficial for managing computing infrastructure at scale, Ansible scripts include security weaknesses, such as hard-coded passwords. Security weaknesses can propagate into tasks, i.e., code constructs used for managing computing infrastructure with Ansible. Propagation of security weaknesses into tasks makes the provisioned infrastructure susceptible to security attacks. A systematic characterization of task infection, i.e., the propagation of security weaknesses into tasks, can aid practitioners and researchers in understanding how security weaknesses propagate into tasks and derive insights for practitioners to develop Ansible scripts securely.

Objective

The goal of the paper is to help practitioners and researchers understand how Ansible-managed computing infrastructure is impacted by security weaknesses by conducting an empirical study of task infections in Ansible scripts.

Method

We conduct an empirical study where we quantify the frequency of task infections in Ansible scripts. Upon detection of task infections, we apply qualitative analysis to determine task infection categories. We also conduct a survey with 23 practitioners to determine the prevalence and severity of identified task infection categories. With logistic regression analysis, we identify development factors that correlate with presence of task infections.

Results

In all, we identify 1,805 task infections in 27,213 scripts. We identify six task infection categories: anti-virus, continuous integration, data storage, message broker, networking, and virtualization. From our survey, we observe tasks used to manage data storage infrastructure perceived to have the most severe consequences. We also find three development factors, namely age, minor contributors, and scatteredness to correlate with the presence of task infections.

Conclusion

Our empirical study shows computing infrastructure managed by Ansible scripts to be impacted by security weaknesses. We conclude the paper by discussing the implications of our findings for practitioners and researchers.

中文翻译：

---

Ansible 脚本中任务感染的实证研究

语境

尽管 Ansible 脚本有利于大规模管理计算基础设施，但它也存在安全漏洞，例如硬编码密码。安全漏洞可能会传播到任务中，即用于使用 Ansible 管理计算基础设施的代码结构。安全漏洞传播到任务中会使所配置的基础设施容易受到安全攻击。任务感染的系统特征，即安全漏洞传播到任务中，可以帮助从业者和研究人员了解安全漏洞如何传播到任务中，并为从业者安全地开发 Ansible 脚本提供见解。

客观的

本文的目标是通过对 Ansible 脚本中的任务感染进行实证研究，帮助从业者和研究人员了解 Ansible 管理的计算基础设施如何受到安全漏洞的影响。

方法

我们进行了一项实证研究，量化 Ansible 脚本中任务感染的频率。在检测到任务感染后，我们应用定性分析来确定任务感染类别。我们还对 23 名从业人员进行了一项调查，以确定已确定的任务感染类别的流行率和严重程度。通过逻辑回归分析，我们确定了与任务感染存在相关的发展因素。

结果

总之，我们在 27,213 个脚本中识别出 1,805 个任务感染。我们确定了六种任务感染类别：防病毒、持续集成、数据存储、消息代理、网络和虚拟化。从我们的调查中，我们观察到用于管理数据存储基础设施的任务被认为会产生最严重的后果。我们还发现三个发展因素，即年龄、次要因素和分散性与任务感染的存在相关。

结论

我们的实证研究表明，由 Ansible 脚本管理的计算基础设施会受到安全漏洞的影响。我们通过讨论我们的发现对从业者和研究人员的影响来结束本文。