mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Debian 13 and Ubuntu 26.04 CIS-inspired hardening playbook

Browse Source
This commit is contained in:
Mateusz Suski
2026-05-06 08:56:45 +00:00
parent 75a11f7650
commit 2fd9c0b5ef
15 changed files with 778 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infra-run/ansible/roles/cis-debian-ubuntu-hardening/tasks/postcheck.yml
+101
View File
@@ -0,0 +1,101 @@
---
- name: Validate ssh effective configuration syntax
ansible.builtin.command: sshd -t
register: cis_sshd_validate
changed_when: false
check_mode: false
- name: Read sysctl values for validation
ansible.builtin.command: "sysctl -n {{ item.key }}"
loop: "{{ cis_sysctl_settings | dict2items }}"
loop_control:
label: "{{ item.key }}"
register: cis_sysctl_validation
changed_when: false
failed_when: false
check_mode: false
when:
- cis_enable_sysctl_hardening | bool
- not cis_container_detected | default(false) | bool
- name: Gather installed package facts
ansible.builtin.package_facts:
manager: auto
- name: Gather final service facts
ansible.builtin.service_facts:
- name: Build service state summary
ansible.builtin.set_fact:
cis_service_state_summary:
ssh: "{{ ansible_facts.services['ssh.service'].state | default('not-found') }}"
chrony: "{{ ansible_facts.services['chrony.service'].state | default('not-found') }}"
auditd: "{{ ansible_facts.services['auditd.service'].state | default('not-found') }}"
rsyslog: "{{ ansible_facts.services['rsyslog.service'].state | default('not-found') }}"
- name: Build package validation summary
ansible.builtin.set_fact:
cis_package_validation_summary:
legacy_absent: "{{ cis_legacy_packages | difference(ansible_facts.packages.keys() | list) }}"
hardening_present: "{{ (cis_enabled_hardening_packages | default(cis_hardening_packages)) | intersect(ansible_facts.packages.keys() | list) }}"
audit_present: "{{ cis_audit_packages | intersect(ansible_facts.packages.keys() | list) }}"
- name: Build sysctl validation summary
ansible.builtin.set_fact:
cis_sysctl_validation_summary: "{{ cis_sysctl_validation_summary | default({}) | combine({item.item.key: item.stdout | default('unreadable')}) }}"
loop: "{{ cis_sysctl_validation.results | default([]) }}"
loop_control:
label: "{{ item.item.key }}"
when:
- cis_enable_sysctl_hardening | bool
- not cis_container_detected | default(false) | bool
- name: Build mount option change summary
ansible.builtin.set_fact:
cis_mount_option_summary: >-
{{
cis_mount_option_results.results
| default([])
| selectattr('changed', 'defined')
| selectattr('changed')
| map(attribute='item.path')
| list
}}
- name: Publish validation summary
ansible.builtin.set_fact:
cis_validation_summary:
benchmark: "CIS-inspired controls for Debian 13 Trixie and Ubuntu Server 26.04 LTS"
sshd_config: "{{ 'OK' if cis_sshd_validate.rc == 0 else 'CRITICAL' }}"
services: "{{ cis_service_state_summary }}"
packages: "{{ cis_package_validation_summary }}"
sysctl: "{{ cis_sysctl_validation_summary | default({}) }}"
mount_option_updates: "{{ cis_mount_option_summary | default([]) }}"
audit_rules_managed: "{{ cis_manage_audit_rules | bool }}"
applied_controls:
- ssh
- packages
- sysctl
- services
- audit
- sudo
- logging
- filesystem
- name: Show service states
ansible.builtin.debug:
var: cis_service_state_summary
- name: Show package validation
ansible.builtin.debug:
var: cis_package_validation_summary
- name: Show changed mount options
ansible.builtin.debug:
msg: >-
{{ cis_mount_option_summary | default([]) if cis_mount_option_summary | default([]) | length > 0
else 'OK: No mount option changes were applied.' }}
- name: Show applied control summary
ansible.builtin.debug:
var: cis_validation_summary