Initial CV-aligned infrastructure portfolio

Rework portfolio around Linux operations, Zabbix monitoring, migration validation, and ELK/Grafana log observability.

Add AAP-style LVM resize workflow, Zabbix server/proxy/agent automation assets, Linux/AIX monitoring templates, and updated validation CI.

professional-infra/linux-operations-automation/playbooks/hardening.yml

@@ -0,0 +1,124 @@
+---
+- name: Harden Enterprise Infrastructure Nodes
+  hosts: all
+  become: true
+  gather_facts: true
+
+  pre_tasks:
+    - name: Validate hardening prerequisites
+      ansible.builtin.assert:
+        that:
+          - ansible_os_family == "Debian"
+          - cis_level in [1, 2]
+        fail_msg: "Invalid hardening configuration"
+
+    - name: Display hardening information
+      ansible.builtin.debug:
+        msg: |
+          Hardening {{ inventory_hostname }}
+          CIS Level: {{ cis_level }}
+          Disable Root Login: {{ disable_root_login }}
+
+  roles:
+    - role: hardening
+      tags: ['hardening', 'security']
+
+  post_tasks:
+    - name: Display hardening summary
+      ansible.builtin.debug:
+        msg: |
+          Hardening completed successfully!
+          Host: {{ inventory_hostname }}
+
+      when: ansible_os_family == "Debian"
+
+    - name: Configure auditd
+      when: auditd_enabled
+      block:
+        - name: Install auditd
+          ansible.builtin.apt:
+            name: auditd
+            state: present
+          when: ansible_os_family == "Debian"
+
+        - name: Configure audit rules
+          ansible.builtin.template:
+            src: templates/audit.rules.j2
+            dest: /etc/audit/rules.d/hardening.rules
+            mode: '0644'
+
+        - name: Enable auditd service
+          ansible.builtin.service:
+            name: auditd
+            state: started
+            enabled: true
+
+    - name: Configure AppArmor
+      when: apparmor_enabled and ansible_os_family == "Debian"
+      block:
+        - name: Install apparmor
+          ansible.builtin.apt:
+            name: apparmor
+            state: present
+          when: ansible_os_family == "Debian"
+
+        - name: Enable apparmor service
+          ansible.builtin.service:
+            name: apparmor
+            state: started
+            enabled: true
+
+    - name: Configure sysctl hardening
+      ansible.posix.sysctl:
+        name: "{{ item.key }}"
+        value: "{{ item.value }}"
+        state: present
+        reload: true
+      loop:
+        - { key: 'net.ipv4.ip_forward', value: '0' }
+        - { key: 'net.ipv4.conf.all.send_redirects', value: '0' }
+        - { key: 'net.ipv4.conf.default.send_redirects', value: '0' }
+        - { key: 'net.ipv4.tcp_syncookies', value: '1' }
+        - { key: 'net.ipv4.icmp_echo_ignore_broadcasts', value: '1' }
+
+    - name: Set secure file permissions
+      ansible.builtin.file:
+        path: "{{ item }}"
+        mode: '0644'
+        owner: root
+        group: root
+      loop:
+        - /etc/passwd
+        - /etc/group
+        - /etc/shadow
+        - /etc/gshadow
+
+    - name: Lock inactive user accounts
+      ansible.builtin.command: usermod -L "{{ item }}"
+      loop: "{{ inactive_users | default([]) }}"
+      changed_when: false
+
+    - name: Configure password policies
+      community.general.pam_limits:
+        domain: '*'
+        limit_type: hard
+        limit_item: nofile
+        value: 1024
+
+    - name: Generate hardening report
+      ansible.builtin.template:
+        src: templates/hardening_report.j2
+        dest: "/var/log/hardening_report_{{ ansible_date_time.iso8601 }}.log"
+        mode: '0644'
+
+  handlers:
+    - name: restart sshd
+      ansible.builtin.service:
+        name: ssh
+        state: restarted
+
+    - name: restart auditd
+      ansible.builtin.service:
+        name: auditd
+        state: restarted
+      when: auditd_enabled