Add Debian 13 and Ubuntu 26.04 CIS-inspired hardening playbook

infra-run/ansible/roles/cis-debian-ubuntu-hardening/README.md

@@ -0,0 +1,90 @@
+# CIS-Inspired Debian and Ubuntu Hardening
+
+This role applies a small, practical set of CIS-inspired operational hardening controls for Debian and Ubuntu servers. It is intentionally readable, conservative, and suitable as a baseline for production environments that still need local review.
+
+## Supported OS
+
+- Debian 13 Trixie
+- Ubuntu Server 26.04 LTS
+
+Unsupported distributions and versions fail during precheck before hardening tasks run.
+
+## Implemented Areas
+
+- SSH daemon hardening with a validated drop-in configuration
+- Legacy network package removal
+- Optional installation and enablement of `auditd`, `chrony`, `rsyslog`, and `sudo`
+- Kernel network sysctl hardening
+- Basic audit rule examples, disabled by default
+- Sudo `use_pty` and optional sudo logfile configuration
+- Logging service checks without replacing existing logging configuration
+- Filesystem mount option recommendations, disabled by default
+
+## Safety Philosophy
+
+The defaults are intended to be operationally safe:
+
+- Check mode is supported.
+- SSH password authentication remains enabled by default.
+- Filesystem mount option management is disabled by default.
+- Audit rules are not written unless explicitly enabled.
+- Services are enabled only when the matching feature is enabled and the service exists.
+- Existing logging configuration is not replaced.
+
+This role does not implement the full CIS benchmark and is not a CIS certification implementation.
+
+## Usage
+
+Run in check mode first:
+
+```bash
+ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --check --diff
+```
+
+Apply the full baseline:
+
+```bash
+ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml
+```
+
+Run only selected areas:
+
+```bash
+ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags precheck,ssh,postcheck
+ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags packages,services
+ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags sudo,logging
+```
+
+## Key Variables
+
+```yaml
+cis_disable_root_login: true
+cis_disable_password_auth: false
+cis_install_auditd: true
+cis_enable_chrony: true
+cis_enable_rsyslog: true
+cis_remove_legacy_packages: true
+cis_enable_sysctl_hardening: true
+cis_manage_mount_options: false
+cis_manage_audit_rules: false
+
+cis_ssh_max_auth_tries: 4
+cis_ssh_login_grace_time: 60
+cis_ssh_client_alive_interval: 300
+cis_ssh_client_alive_count_max: 3
+
+cis_sudo_use_pty: true
+cis_sudo_logfile: /var/log/sudo.log
+```
+
+Enable audit rules only after reviewing the examples:
+
+```yaml
+cis_manage_audit_rules: true
+```
+
+Enable mount option persistence only after reviewing each filesystem target:
+
+```yaml
+cis_manage_mount_options: true
+```