Disabled Ansible URI certificate validation
Description
This policy detects whether Ansible URI tasks enforce certificate validation, thereby enhancing the security of your HTTPS requests. Disabling certificate validation in URI tasks can expose the system to various security issues, including man-in-the-middle (MITM) attacks.
Code Example
yaml
- name: Example
hosts: all
gather_facts: False
tasks:
- name: disabled
uri:
url: https://www.example.com
return_content: yes
- validate_certs: false
+ validate_certs: true
register: this
failed_when: "'AWESOME' not in this.content"Remediation
Ansible
- Attribute: uri.validate_certs
To mitigate this risk, ensure that the `validate_certs`` attribute is set to `true`` in your Ansible URI tasks. This setting ensures that SSL certificates are properly validated during HTTPS requests, enhancing the security of your system.
Secure Code Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0042 |
| Severity | MEDIUM |
| IaC Type | Ansible |
| Frameworks | Ansible |
| Checkov ID | CKV_ANSIBLE_1 |