enterprise-infra-simulator/roles/hardening/README.md

# Hardening Role

Apply security hardening to enterprise infrastructure nodes following CIS benchmarks.

## Features

- **CIS Compliance**: Support for CIS hardening levels 1 and 2
- **SSH Hardening**: Disable root login, password auth, set auth limits
- **Firewall Configuration**: UFW with configurable rules
- **Service Cleanup**: Disable unnecessary services and remove insecure packages
- **Handlers**: SSH restarts via handlers

## Role Variables

See `defaults/main.yml` for all available variables.

### Key Variables

- `cis_level`: CIS hardening level (1 or 2)
- `disable_root_login`: Disable root SSH login (default: true)
- `secure_ssh_config`: Apply SSH security hardening (default: true)
- `firewall_policy`: Firewall default policy (default: deny)
- `ssh_max_auth_tries`: Maximum SSH authentication attempts (default: 3)
- `ssh_client_alive_interval`: SSH client alive interval in seconds (default: 300)
- `ssh_allowed_networks`: Networks allowed SSH access from

### SSH Allowed Networks

Default trusted networks:
- 10.0.0.0/8 (Private Class A)
- 172.16.0.0/12 (Private Class B)
- 192.168.0.0/16 (Private Class C)

## Usage

```yaml
- role: hardening
  vars:
    cis_level: 1
    disable_root_login: true
    ssh_allowed_networks:
      - 10.0.0.0/8
      - 203.0.113.0/24
```

## SSH Configuration Changes

- Root login disabled
- Password authentication disabled
- Maximum auth tries: 3
- Empty passwords prohibited
- Client alive interval: 300 seconds
- Client alive count max: 2

## Tags

- `hardening`: All hardening tasks
- `security`: Security-related tasks
Refactor Ansible playbooks to comply with best practices and fix linting violations 2026-05-03 22:31:04 +00:00			`# Hardening Role`

			`Apply security hardening to enterprise infrastructure nodes following CIS benchmarks.`

			`## Features`

			`- CIS Compliance: Support for CIS hardening levels 1 and 2`
			`- SSH Hardening: Disable root login, password auth, set auth limits`
			`- Firewall Configuration: UFW with configurable rules`
			`- Service Cleanup: Disable unnecessary services and remove insecure packages`
			`- Handlers: SSH restarts via handlers`

			`## Role Variables`

			See `defaults/main.yml` for all available variables.

			`### Key Variables`

			- `cis_level`: CIS hardening level (1 or 2)
			- `disable_root_login`: Disable root SSH login (default: true)
			- `secure_ssh_config`: Apply SSH security hardening (default: true)
			- `firewall_policy`: Firewall default policy (default: deny)
			- `ssh_max_auth_tries`: Maximum SSH authentication attempts (default: 3)
			- `ssh_client_alive_interval`: SSH client alive interval in seconds (default: 300)
			- `ssh_allowed_networks`: Networks allowed SSH access from

			`### SSH Allowed Networks`

			`Default trusted networks:`
			`- 10.0.0.0/8 (Private Class A)`
			`- 172.16.0.0/12 (Private Class B)`
			`- 192.168.0.0/16 (Private Class C)`

			`## Usage`

			```yaml
			`- role: hardening`
			`vars:`
			`cis_level: 1`
			`disable_root_login: true`
			`ssh_allowed_networks:`
			`- 10.0.0.0/8`
			`- 203.0.113.0/24`
			```

			`## SSH Configuration Changes`

			`- Root login disabled`
			`- Password authentication disabled`
			`- Maximum auth tries: 3`
			`- Empty passwords prohibited`
			`- Client alive interval: 300 seconds`
			`- Client alive count max: 2`

			`## Tags`

			- `hardening`: All hardening tasks
			- `security`: Security-related tasks