Add RHEL 9 CIS-inspired hardening playbook
This commit is contained in:
Mateusz Suski
@@ -0,0 +1,83 @@
|
||||
# CIS-Inspired RHEL 9 Hardening Role
|
||||
|
||||
This role provides a practical, production-style hardening baseline for RHEL 9 and Oracle Linux 9 systems. It is inspired by CIS Benchmark controls for Red Hat Enterprise Linux 9 version 2.0.0, but it is intentionally scoped to common operational controls that infrastructure and security operations teams frequently automate.
|
||||
|
||||
This is not a full CIS certification implementation.
|
||||
|
||||
## Supported Platforms
|
||||
|
||||
- Red Hat Enterprise Linux 9
|
||||
- Oracle Linux 9
|
||||
|
||||
The role fails safely on unsupported operating systems or unsupported major versions.
|
||||
|
||||
## Implemented Controls
|
||||
|
||||
- SSH daemon hardening for root login, empty passwords, password authentication, retry limits, login grace time, and client keepalive behavior.
|
||||
- Removal of selected legacy network packages such as telnet, rsh-server, and ypbind.
|
||||
- Optional installation and enablement of chrony, auditd, and rsyslog.
|
||||
- CIS-inspired IPv4 network sysctl settings.
|
||||
- Service enablement for chronyd, auditd, and rsyslog.
|
||||
- Safe disabling of known legacy services when they are present.
|
||||
- Basic audit backlog and audit rule examples.
|
||||
- Sudo defaults for `use_pty` and a configurable sudo logfile.
|
||||
- Rsyslog service validation and journald configuration presence checks.
|
||||
- Optional filesystem mount option persistence for selected paths.
|
||||
|
||||
## Safety Philosophy
|
||||
|
||||
The defaults are conservative. The role supports Ansible check mode and avoids destructive production behavior by default. Filesystem mount option management is disabled unless `cis_manage_mount_options` is explicitly enabled, and even then the role persists configured options without remounting live filesystems.
|
||||
|
||||
Review variables before using this role in production.
|
||||
|
||||
## Common Variables
|
||||
|
||||
```yaml
|
||||
cis_disable_root_login: true
|
||||
cis_disable_password_auth: false
|
||||
cis_install_auditd: true
|
||||
cis_enable_chrony: true
|
||||
cis_enable_rsyslog: true
|
||||
cis_remove_legacy_packages: true
|
||||
cis_enable_sysctl_hardening: true
|
||||
cis_manage_mount_options: false
|
||||
```
|
||||
|
||||
## Check Mode
|
||||
|
||||
Run a full safety preview:
|
||||
|
||||
```bash
|
||||
ansible-playbook playbooks/cis-rhel9-hardening.yml --check --diff
|
||||
```
|
||||
|
||||
Run only SSH controls in check mode:
|
||||
|
||||
```bash
|
||||
ansible-playbook playbooks/cis-rhel9-hardening.yml --check --diff --tags ssh
|
||||
```
|
||||
|
||||
## Tags
|
||||
|
||||
Useful tags include:
|
||||
|
||||
- `precheck`
|
||||
- `packages`
|
||||
- `ssh`
|
||||
- `sysctl`
|
||||
- `services`
|
||||
- `audit`
|
||||
- `sudo`
|
||||
- `logging`
|
||||
- `filesystem`
|
||||
- `postcheck`
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
ansible-playbook playbooks/cis-rhel9-hardening.yml --tags precheck,ssh,postcheck
|
||||
```
|
||||
|
||||
## Production Rollout Notes
|
||||
|
||||
This role is a hardening starting point for internal infrastructure teams. It should be reviewed against local access patterns, break-glass procedures, compliance requirements, monitoring expectations, and host build standards before rollout.
|
||||
Reference in New Issue
Block a user