infra-run/ansible/roles/cis-debian-ubuntu-hardening/README.md

# CIS-Inspired Debian and Ubuntu Hardening

This role applies a small, practical set of CIS-inspired operational hardening controls for Debian and Ubuntu servers. It is intentionally readable, conservative, and suitable as a baseline for production environments that still need local review.

## Supported OS

- Debian 13 Trixie
- Ubuntu Server 26.04 LTS

Unsupported distributions and versions fail during precheck before hardening tasks run.

## Implemented Areas

- SSH daemon hardening with a validated drop-in configuration
- Legacy network package removal
- Optional installation and enablement of `auditd`, `chrony`, `rsyslog`, and `sudo`
- Kernel network sysctl hardening
- Basic audit rule examples, disabled by default
- Sudo `use_pty` and optional sudo logfile configuration
- Logging service checks without replacing existing logging configuration
- Filesystem mount option recommendations, disabled by default

## Safety Philosophy

The defaults are intended to be operationally safe:

- Check mode is supported.
- SSH password authentication remains enabled by default.
- Filesystem mount option management is disabled by default.
- Audit rules are not written unless explicitly enabled.
- Services are enabled only when the matching feature is enabled and the service exists.
- Existing logging configuration is not replaced.

This role does not implement the full CIS benchmark and is not a CIS certification implementation.

## Usage

Run in check mode first:

```bash
ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --check --diff
```

Apply the full baseline:

```bash
ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml
```

Run only selected areas:

```bash
ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags precheck,ssh,postcheck
ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags packages,services
ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags sudo,logging
```

## Key Variables

```yaml
cis_disable_root_login: true
cis_disable_password_auth: false
cis_install_auditd: true
cis_enable_chrony: true
cis_enable_rsyslog: true
cis_remove_legacy_packages: true
cis_enable_sysctl_hardening: true
cis_manage_mount_options: false
cis_manage_audit_rules: false

cis_ssh_max_auth_tries: 4
cis_ssh_login_grace_time: 60
cis_ssh_client_alive_interval: 300
cis_ssh_client_alive_count_max: 3

cis_sudo_use_pty: true
cis_sudo_logfile: /var/log/sudo.log
```

Enable audit rules only after reviewing the examples:

```yaml
cis_manage_audit_rules: true
```

Enable mount option persistence only after reviewing each filesystem target:

```yaml
cis_manage_mount_options: true
```
Add Debian 13 and Ubuntu 26.04 CIS-inspired hardening playbook 2026-05-06 08:56:45 +00:00			`# CIS-Inspired Debian and Ubuntu Hardening`

			`This role applies a small, practical set of CIS-inspired operational hardening controls for Debian and Ubuntu servers. It is intentionally readable, conservative, and suitable as a baseline for production environments that still need local review.`

			`## Supported OS`

			`- Debian 13 Trixie`
			`- Ubuntu Server 26.04 LTS`

			`Unsupported distributions and versions fail during precheck before hardening tasks run.`

			`## Implemented Areas`

			`- SSH daemon hardening with a validated drop-in configuration`
			`- Legacy network package removal`
			- Optional installation and enablement of `auditd`, `chrony`, `rsyslog`, and `sudo`
			`- Kernel network sysctl hardening`
			`- Basic audit rule examples, disabled by default`
			- Sudo `use_pty` and optional sudo logfile configuration
			`- Logging service checks without replacing existing logging configuration`
			`- Filesystem mount option recommendations, disabled by default`

			`## Safety Philosophy`

			`The defaults are intended to be operationally safe:`

			`- Check mode is supported.`
			`- SSH password authentication remains enabled by default.`
			`- Filesystem mount option management is disabled by default.`
			`- Audit rules are not written unless explicitly enabled.`
			`- Services are enabled only when the matching feature is enabled and the service exists.`
			`- Existing logging configuration is not replaced.`

			`This role does not implement the full CIS benchmark and is not a CIS certification implementation.`

			`## Usage`

			`Run in check mode first:`

			```bash
			`ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --check --diff`
			```

			`Apply the full baseline:`

			```bash
			`ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml`
			```

			`Run only selected areas:`

			```bash
			`ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags precheck,ssh,postcheck`
			`ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags packages,services`
			`ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags sudo,logging`
			```

			`## Key Variables`

			```yaml
			`cis_disable_root_login: true`
			`cis_disable_password_auth: false`
			`cis_install_auditd: true`
			`cis_enable_chrony: true`
			`cis_enable_rsyslog: true`
			`cis_remove_legacy_packages: true`
			`cis_enable_sysctl_hardening: true`
			`cis_manage_mount_options: false`
			`cis_manage_audit_rules: false`

			`cis_ssh_max_auth_tries: 4`
			`cis_ssh_login_grace_time: 60`
			`cis_ssh_client_alive_interval: 300`
			`cis_ssh_client_alive_count_max: 3`

			`cis_sudo_use_pty: true`
			`cis_sudo_logfile: /var/log/sudo.log`
			```

			`Enable audit rules only after reviewing the examples:`

			```yaml
			`cis_manage_audit_rules: true`
			```

			`Enable mount option persistence only after reviewing each filesystem target:`

			```yaml
			`cis_manage_mount_options: true`
			```