For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-privilege-escalation-using-become-plugin-in-defaults.md. A documentation index is available at /llms.txt.

Privilege escalation using become plugin in defaults

This product is not supported for your selected Datadog site. ().

Metadata

Id: ansible-privilege-escalation-using-become-plugin-in-defaults

Platform: Ansible

Severity: Medium

Category: Access Control

Learn More

Description

Specifying a become_user without enabling privilege escalation prevents Ansible from elevating privileges. Tasks intended to run as that user will execute as the invoking user instead, which can cause configuration changes to be applied with incorrect permissions or fail entirely, leading to insecure or inconsistent system state. In the Ansible defaults group, when defaults.become_user is defined, the defaults.become property must be present and set to true. This rule flags defaults entries where become_user exists but become is missing or set to false.

Secure configuration example:

defaults:
  become: true
  become_user: root

Compliant Code Examples

[defaults]
action_warnings=True
cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
cow_selection=default
force_color=False
nocolor=False
nocows=False
any_errors_fatal=False
become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become
fact_caching=memory

[defaults]
action_warnings=True
cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
cow_selection=default
force_color=False
nocolor=False
nocows=False
any_errors_fatal=False
fact_caching=memory
become_ask_pass=False
become_method=sudo
become=True
become_user=root

Non-Compliant Code Examples

[defaults]
action_warnings=True
cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
cow_selection=default
force_color=False
nocolor=False
nocows=False
any_errors_fatal=False
fact_caching=memory
become=False
become_ask_pass=False
become_method=sudo
become_user=root

[defaults]
action_warnings=True
cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
cow_selection=default
force_color=False
nocolor=False
nocows=False
any_errors_fatal=False
fact_caching=memory
become_ask_pass=False
become_method=sudo
become_user=root