infra-run/ansible/roles/cis-rhel9-hardening/README.md

# RHEL 9 Baseline Hardening Role

This role provides a practical, baseline hardening example for RHEL 9 and Oracle Linux 9 systems. It is inspired by hardening benchmark controls for Red Hat Enterprise Linux 9 version 2.0.0, but it is intentionally scoped to common operational controls that infrastructure and security operations teams frequently automate.

This is not a full compliance certification implementation.

## Supported Platforms

- Red Hat Enterprise Linux 9
- Oracle Linux 9

The role fails safely on unsupported operating systems or unsupported major versions.

## Implemented Controls

- SSH daemon hardening for root login, empty passwords, password authentication, retry limits, login grace time, and client keepalive behavior.
- Removal of selected legacy network packages such as telnet, rsh-server, and ypbind.
- Optional installation and enablement of chrony, auditd, and rsyslog.
- Selected IPv4 network sysctl settings.
- Service enablement for chronyd, auditd, and rsyslog.
- Safe disabling of known legacy services when they are present.
- Basic audit backlog and audit rule examples.
- Sudo defaults for `use_pty` and a configurable sudo logfile.
- Rsyslog service validation and journald configuration presence checks.
- Optional filesystem mount option persistence for selected paths.

## Safety Philosophy

The defaults are conservative. The role supports Ansible check mode and avoids destructive live-system behavior by default. Filesystem mount option management is disabled unless `cis_manage_mount_options` is explicitly enabled, and even then the role persists configured options without remounting live filesystems.

Review variables before adapting this role to managed hosts.

## Common Variables

```yaml
cis_disable_root_login: true
cis_disable_password_auth: false
cis_install_auditd: true
cis_enable_chrony: true
cis_enable_rsyslog: true
cis_remove_legacy_packages: true
cis_enable_sysctl_hardening: true
cis_manage_mount_options: false
```

## Check Mode

Run a full safety preview:

```bash
ansible-playbook playbooks/cis-rhel9-hardening.yml --check --diff
```

Run only SSH controls in check mode:

```bash
ansible-playbook playbooks/cis-rhel9-hardening.yml --check --diff --tags ssh
```

## Tags

Useful tags include:

- `precheck`
- `packages`
- `ssh`
- `sysctl`
- `services`
- `audit`
- `sudo`
- `logging`
- `filesystem`
- `postcheck`

Example:

```bash
ansible-playbook playbooks/cis-rhel9-hardening.yml --tags precheck,ssh,postcheck
```

## Rollout Notes

This role is a hardening starting point for internal infrastructure teams. It should be reviewed against local access patterns, break-glass procedures, compliance requirements, monitoring expectations, and host build standards before rollout.
Improve infra-run portfolio credibility 2026-05-08 21:18:22 +00:00			`# RHEL 9 Baseline Hardening Role`
Add RHEL 9 CIS-inspired hardening playbook 2026-05-06 08:45:33 +00:00
Improve infra-run portfolio credibility 2026-05-08 21:18:22 +00:00			`This role provides a practical, baseline hardening example for RHEL 9 and Oracle Linux 9 systems. It is inspired by hardening benchmark controls for Red Hat Enterprise Linux 9 version 2.0.0, but it is intentionally scoped to common operational controls that infrastructure and security operations teams frequently automate.`
Add RHEL 9 CIS-inspired hardening playbook 2026-05-06 08:45:33 +00:00
Improve infra-run portfolio credibility 2026-05-08 21:18:22 +00:00			`This is not a full compliance certification implementation.`
Add RHEL 9 CIS-inspired hardening playbook 2026-05-06 08:45:33 +00:00
			`## Supported Platforms`

			`- Red Hat Enterprise Linux 9`
			`- Oracle Linux 9`

			`The role fails safely on unsupported operating systems or unsupported major versions.`

			`## Implemented Controls`

			`- SSH daemon hardening for root login, empty passwords, password authentication, retry limits, login grace time, and client keepalive behavior.`
			`- Removal of selected legacy network packages such as telnet, rsh-server, and ypbind.`
			`- Optional installation and enablement of chrony, auditd, and rsyslog.`
Improve infra-run portfolio credibility 2026-05-08 21:18:22 +00:00			`- Selected IPv4 network sysctl settings.`
Add RHEL 9 CIS-inspired hardening playbook 2026-05-06 08:45:33 +00:00			`- Service enablement for chronyd, auditd, and rsyslog.`
			`- Safe disabling of known legacy services when they are present.`
			`- Basic audit backlog and audit rule examples.`
			- Sudo defaults for `use_pty` and a configurable sudo logfile.
			`- Rsyslog service validation and journald configuration presence checks.`
			`- Optional filesystem mount option persistence for selected paths.`

			`## Safety Philosophy`

Improve infra-run portfolio credibility 2026-05-08 21:18:22 +00:00			The defaults are conservative. The role supports Ansible check mode and avoids destructive live-system behavior by default. Filesystem mount option management is disabled unless `cis_manage_mount_options` is explicitly enabled, and even then the role persists configured options without remounting live filesystems.
Add RHEL 9 CIS-inspired hardening playbook 2026-05-06 08:45:33 +00:00
Improve infra-run portfolio credibility 2026-05-08 21:18:22 +00:00			`Review variables before adapting this role to managed hosts.`
Add RHEL 9 CIS-inspired hardening playbook 2026-05-06 08:45:33 +00:00
			`## Common Variables`

			```yaml
			`cis_disable_root_login: true`
			`cis_disable_password_auth: false`
			`cis_install_auditd: true`
			`cis_enable_chrony: true`
			`cis_enable_rsyslog: true`
			`cis_remove_legacy_packages: true`
			`cis_enable_sysctl_hardening: true`
			`cis_manage_mount_options: false`
			```

			`## Check Mode`

			`Run a full safety preview:`

			```bash
			`ansible-playbook playbooks/cis-rhel9-hardening.yml --check --diff`
			```

			`Run only SSH controls in check mode:`

			```bash
			`ansible-playbook playbooks/cis-rhel9-hardening.yml --check --diff --tags ssh`
			```

			`## Tags`

			`Useful tags include:`

			- `precheck`
			- `packages`
			- `ssh`
			- `sysctl`
			- `services`
			- `audit`
			- `sudo`
			- `logging`
			- `filesystem`
			- `postcheck`

			`Example:`

			```bash
			`ansible-playbook playbooks/cis-rhel9-hardening.yml --tags precheck,ssh,postcheck`
			```

Improve infra-run portfolio credibility 2026-05-08 21:18:22 +00:00			`## Rollout Notes`
Add RHEL 9 CIS-inspired hardening playbook 2026-05-06 08:45:33 +00:00
			`This role is a hardening starting point for internal infrastructure teams. It should be reviewed against local access patterns, break-glass procedures, compliance requirements, monitoring expectations, and host build standards before rollout.`