This commit is contained in:
Mateusz Suski
@@ -17,11 +17,11 @@ flowchart TD
|
||||
|
||||
## Current Roles
|
||||
|
||||
- `cis-rhel9-hardening` - CIS-inspired RHEL 9 baseline with package, service, SSH, sudo, sysctl, audit, logging, filesystem, and validation tasks.
|
||||
- `cis-debian-ubuntu-hardening` - CIS-inspired Debian 13 and Ubuntu 26.04 baseline with apt, service, SSH, sudo, sysctl, audit, logging, filesystem, and validation tasks.
|
||||
- `cis-aix7-hardening` - CIS-inspired IBM AIX 7 baseline with SSH, sudo, audit, logging, cron, user, password, network, filesystem, service, and validation tasks.
|
||||
- `cis-rhel9-hardening` - RHEL 9 baseline example with package, service, SSH, sudo, sysctl, audit, logging, filesystem, and validation tasks.
|
||||
- `cis-debian-ubuntu-hardening` - Debian 13 and Ubuntu 26.04 baseline example with apt, service, SSH, sudo, sysctl, audit, logging, filesystem, and validation tasks.
|
||||
- `cis-aix7-hardening` - IBM AIX 7 baseline example with SSH, sudo, audit, logging, cron, user, password, network, filesystem, service, and validation tasks.
|
||||
|
||||
## Notes
|
||||
|
||||
- Each role includes defaults, task includes, handlers where needed, and role-specific README guidance.
|
||||
- The hardening content is sanitized for portfolio use and should be reviewed against site policy before production use.
|
||||
- The hardening content is sanitized for portfolio use and should be reviewed against site policy before live use.
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
# cis-aix7-hardening
|
||||
|
||||
Operational IBM AIX 7.x hardening role inspired by CIS Benchmark 1.2.0 and common enterprise Unix security practices.
|
||||
Operational IBM AIX 7.x hardening role inspired by CIS Benchmark 1.2.0 and common Unix security practices.
|
||||
|
||||
Reference: https://www.cisecurity.org/benchmark/aix
|
||||
|
||||
This role is intended for infrastructure and security operations teams that manage production AIX estates. It favors readable, conservative controls over broad benchmark coverage.
|
||||
This role is intended for infrastructure and security operations teams that manage AIX estates. It favors readable, conservative controls over broad benchmark coverage.
|
||||
|
||||
## Supported OS
|
||||
|
||||
@@ -27,7 +27,7 @@ This role is intended for infrastructure and security operations teams that mana
|
||||
|
||||
AIX is not Linux. This role does not assume systemd, sysctl, Linux package managers, or Linux service paths. Service operations use SRC commands such as `lssrc`, `startsrc`, `stopsrc`, and `refresh`.
|
||||
|
||||
AIX environments vary heavily between enterprises. Filesystem layout, OpenSSH source, sudo packaging, audit classes, NFS tuning, and security policy ownership should be validated before production rollout.
|
||||
AIX environments vary heavily between environments. Filesystem layout, OpenSSH source, sudo packaging, audit classes, NFS tuning, and security policy ownership should be validated before managed rollout.
|
||||
|
||||
## Safety Philosophy
|
||||
|
||||
@@ -64,4 +64,4 @@ ansible-playbook playbooks/cis-aix7-hardening.yml --tags audit -e cis_enable_aud
|
||||
|
||||
## Important Warning
|
||||
|
||||
This is not a full CIS certification implementation and does not implement the entire CIS AIX benchmark. It is a practical CIS-inspired baseline that should be reviewed by infrastructure, security, and application owners before production enforcement.
|
||||
This is not a full compliance certification implementation and does not implement the entire CIS AIX benchmark. It is a practical baseline example that should be reviewed by infrastructure, security, and application owners before managed enforcement.
|
||||
|
||||
@@ -18,7 +18,7 @@
|
||||
ansible.builtin.debug:
|
||||
msg: >-
|
||||
OK: Mount option management is disabled by default.
|
||||
Review target {{ item.path }} for options {{ item.options | join(', ') }} before production rollout.
|
||||
Review target {{ item.path }} for options {{ item.options | join(', ') }} before managed rollout.
|
||||
loop: "{{ cis_mount_option_targets }}"
|
||||
when: not cis_manage_mount_options | bool
|
||||
|
||||
|
||||
@@ -54,5 +54,5 @@
|
||||
if cis_aix_post_sshd.rc == 0 else 'CRITICAL: sshd validation failed; review SSH config before restarting sessions.' }}
|
||||
- "OK: Service states: {{ cis_aix_validation_summary.service_states }}"
|
||||
- "OK: Password policy summary: {{ cis_aix_validation_summary.password_policy }}"
|
||||
- "WARNING: This role is CIS-inspired and does not represent a complete CIS certification implementation."
|
||||
- "WARNING: This role is selected baseline and does not represent a complete compliance certification implementation."
|
||||
- "{{ cis_aix_validation_summary.recommendations }}"
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# CIS-Inspired Debian and Ubuntu Hardening
|
||||
# Debian And Ubuntu Baseline Hardening Role
|
||||
|
||||
This role applies a small, practical set of CIS-inspired operational hardening controls for Debian and Ubuntu servers. It is intentionally readable, conservative, and suitable as a baseline for production environments that still need local review.
|
||||
This role applies a small, practical set of selected baseline operational hardening controls for Debian and Ubuntu servers. It is intentionally readable, conservative, and suitable as a baseline for managed environments that still need local review.
|
||||
|
||||
## Supported OS
|
||||
|
||||
@@ -11,7 +11,7 @@ Unsupported distributions and versions fail during precheck before hardening tas
|
||||
|
||||
## Implemented Areas
|
||||
|
||||
- SSH daemon hardening with a validated drop-in configuration
|
||||
- SSH daemon hardening through a managed drop-in and final `sshd -t` validation
|
||||
- Legacy network package removal
|
||||
- Optional installation and enablement of `auditd`, `chrony`, `rsyslog`, and `sudo`
|
||||
- Kernel network sysctl hardening
|
||||
@@ -31,7 +31,7 @@ The defaults are intended to be operationally safe:
|
||||
- Services are enabled only when the matching feature is enabled and the service exists.
|
||||
- Existing logging configuration is not replaced.
|
||||
|
||||
This role does not implement the full CIS benchmark and is not a CIS certification implementation.
|
||||
This role does not implement the full CIS benchmark and is not a compliance certification implementation.
|
||||
|
||||
## Usage
|
||||
|
||||
|
||||
@@ -37,12 +37,16 @@
|
||||
ansible.builtin.set_fact:
|
||||
cis_package_validation_summary:
|
||||
legacy_absent: "{{ cis_legacy_packages | difference(ansible_facts.packages.keys() | list) }}"
|
||||
hardening_present: "{{ (cis_enabled_hardening_packages | default(cis_hardening_packages)) | intersect(ansible_facts.packages.keys() | list) }}"
|
||||
hardening_present: >-
|
||||
{{ (cis_enabled_hardening_packages | default(cis_hardening_packages))
|
||||
| intersect(ansible_facts.packages.keys() | list) }}
|
||||
audit_present: "{{ cis_audit_packages | intersect(ansible_facts.packages.keys() | list) }}"
|
||||
|
||||
- name: Build sysctl validation summary
|
||||
ansible.builtin.set_fact:
|
||||
cis_sysctl_validation_summary: "{{ cis_sysctl_validation_summary | default({}) | combine({item.item.key: item.stdout | default('unreadable')}) }}"
|
||||
cis_sysctl_validation_summary: >-
|
||||
{{ cis_sysctl_validation_summary | default({})
|
||||
| combine({item.item.key: item.stdout | default('unreadable')}) }}
|
||||
loop: "{{ cis_sysctl_validation.results | default([]) }}"
|
||||
loop_control:
|
||||
label: "{{ item.item.key }}"
|
||||
@@ -65,7 +69,7 @@
|
||||
- name: Publish validation summary
|
||||
ansible.builtin.set_fact:
|
||||
cis_validation_summary:
|
||||
benchmark: "CIS-inspired controls for Debian 13 Trixie and Ubuntu Server 26.04 LTS"
|
||||
benchmark: "selected controls for Debian 13 Trixie and Ubuntu Server 26.04 LTS"
|
||||
sshd_config: "{{ 'OK' if cis_sshd_validate.rc == 0 else 'CRITICAL' }}"
|
||||
services: "{{ cis_service_state_summary }}"
|
||||
packages: "{{ cis_package_validation_summary }}"
|
||||
|
||||
@@ -33,7 +33,6 @@
|
||||
path: "{{ cis_ssh_dropin_path }}"
|
||||
regexp: '^PermitRootLogin\s+'
|
||||
line: "PermitRootLogin {{ 'no' if cis_disable_root_login | bool else 'prohibit-password' }}"
|
||||
validate: sshd -t -f %s
|
||||
notify:
|
||||
- validate ssh
|
||||
- restart ssh
|
||||
@@ -43,7 +42,6 @@
|
||||
path: "{{ cis_ssh_dropin_path }}"
|
||||
regexp: '^PermitEmptyPasswords\s+'
|
||||
line: "PermitEmptyPasswords no"
|
||||
validate: sshd -t -f %s
|
||||
notify:
|
||||
- validate ssh
|
||||
- restart ssh
|
||||
@@ -53,7 +51,6 @@
|
||||
path: "{{ cis_ssh_dropin_path }}"
|
||||
regexp: '^PasswordAuthentication\s+'
|
||||
line: "PasswordAuthentication {{ 'no' if cis_disable_password_auth | bool else 'yes' }}"
|
||||
validate: sshd -t -f %s
|
||||
notify:
|
||||
- validate ssh
|
||||
- restart ssh
|
||||
@@ -63,7 +60,6 @@
|
||||
path: "{{ cis_ssh_dropin_path }}"
|
||||
regexp: '^MaxAuthTries\s+'
|
||||
line: "MaxAuthTries {{ cis_ssh_max_auth_tries }}"
|
||||
validate: sshd -t -f %s
|
||||
notify:
|
||||
- validate ssh
|
||||
- restart ssh
|
||||
@@ -73,7 +69,6 @@
|
||||
path: "{{ cis_ssh_dropin_path }}"
|
||||
regexp: '^LoginGraceTime\s+'
|
||||
line: "LoginGraceTime {{ cis_ssh_login_grace_time }}"
|
||||
validate: sshd -t -f %s
|
||||
notify:
|
||||
- validate ssh
|
||||
- restart ssh
|
||||
@@ -83,7 +78,6 @@
|
||||
path: "{{ cis_ssh_dropin_path }}"
|
||||
regexp: '^ClientAliveInterval\s+'
|
||||
line: "ClientAliveInterval {{ cis_ssh_client_alive_interval }}"
|
||||
validate: sshd -t -f %s
|
||||
notify:
|
||||
- validate ssh
|
||||
- restart ssh
|
||||
@@ -93,7 +87,6 @@
|
||||
path: "{{ cis_ssh_dropin_path }}"
|
||||
regexp: '^ClientAliveCountMax\s+'
|
||||
line: "ClientAliveCountMax {{ cis_ssh_client_alive_count_max }}"
|
||||
validate: sshd -t -f %s
|
||||
notify:
|
||||
- validate ssh
|
||||
- restart ssh
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
---
|
||||
- name: Apply CIS-inspired sysctl settings
|
||||
- name: Apply selected sysctl settings
|
||||
ansible.posix.sysctl:
|
||||
name: "{{ item.key }}"
|
||||
value: "{{ item.value }}"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
# CIS-Inspired RHEL 9 Hardening Role
|
||||
# RHEL 9 Baseline Hardening Role
|
||||
|
||||
This role provides a practical, production-style hardening baseline for RHEL 9 and Oracle Linux 9 systems. It is inspired by CIS Benchmark controls for Red Hat Enterprise Linux 9 version 2.0.0, but it is intentionally scoped to common operational controls that infrastructure and security operations teams frequently automate.
|
||||
This role provides a practical, baseline hardening example for RHEL 9 and Oracle Linux 9 systems. It is inspired by hardening benchmark controls for Red Hat Enterprise Linux 9 version 2.0.0, but it is intentionally scoped to common operational controls that infrastructure and security operations teams frequently automate.
|
||||
|
||||
This is not a full CIS certification implementation.
|
||||
This is not a full compliance certification implementation.
|
||||
|
||||
## Supported Platforms
|
||||
|
||||
@@ -16,7 +16,7 @@ The role fails safely on unsupported operating systems or unsupported major vers
|
||||
- SSH daemon hardening for root login, empty passwords, password authentication, retry limits, login grace time, and client keepalive behavior.
|
||||
- Removal of selected legacy network packages such as telnet, rsh-server, and ypbind.
|
||||
- Optional installation and enablement of chrony, auditd, and rsyslog.
|
||||
- CIS-inspired IPv4 network sysctl settings.
|
||||
- Selected IPv4 network sysctl settings.
|
||||
- Service enablement for chronyd, auditd, and rsyslog.
|
||||
- Safe disabling of known legacy services when they are present.
|
||||
- Basic audit backlog and audit rule examples.
|
||||
@@ -26,9 +26,9 @@ The role fails safely on unsupported operating systems or unsupported major vers
|
||||
|
||||
## Safety Philosophy
|
||||
|
||||
The defaults are conservative. The role supports Ansible check mode and avoids destructive production behavior by default. Filesystem mount option management is disabled unless `cis_manage_mount_options` is explicitly enabled, and even then the role persists configured options without remounting live filesystems.
|
||||
The defaults are conservative. The role supports Ansible check mode and avoids destructive live-system behavior by default. Filesystem mount option management is disabled unless `cis_manage_mount_options` is explicitly enabled, and even then the role persists configured options without remounting live filesystems.
|
||||
|
||||
Review variables before using this role in production.
|
||||
Review variables before adapting this role to managed hosts.
|
||||
|
||||
## Common Variables
|
||||
|
||||
@@ -78,6 +78,6 @@ Example:
|
||||
ansible-playbook playbooks/cis-rhel9-hardening.yml --tags precheck,ssh,postcheck
|
||||
```
|
||||
|
||||
## Production Rollout Notes
|
||||
## Rollout Notes
|
||||
|
||||
This role is a hardening starting point for internal infrastructure teams. It should be reviewed against local access patterns, break-glass procedures, compliance requirements, monitoring expectations, and host build standards before rollout.
|
||||
|
||||
@@ -28,7 +28,9 @@
|
||||
|
||||
- name: Build sysctl validation summary
|
||||
ansible.builtin.set_fact:
|
||||
cis_sysctl_validation_summary: "{{ cis_sysctl_validation_summary | default({}) | combine({item.item.key: item.stdout | default('unreadable')}) }}"
|
||||
cis_sysctl_validation_summary: >-
|
||||
{{ cis_sysctl_validation_summary | default({})
|
||||
| combine({item.item.key: item.stdout | default('unreadable')}) }}
|
||||
loop: "{{ cis_sysctl_validation.results | default([]) }}"
|
||||
loop_control:
|
||||
label: "{{ item.item.key }}"
|
||||
|
||||
@@ -22,7 +22,6 @@
|
||||
path: "{{ cis_ssh_dropin_path }}"
|
||||
regexp: '^PermitRootLogin\s+'
|
||||
line: "PermitRootLogin {{ 'no' if cis_disable_root_login | bool else 'prohibit-password' }}"
|
||||
validate: sshd -t -f %s
|
||||
notify:
|
||||
- validate sshd
|
||||
- reload sshd
|
||||
@@ -32,7 +31,6 @@
|
||||
path: "{{ cis_ssh_dropin_path }}"
|
||||
regexp: '^PermitEmptyPasswords\s+'
|
||||
line: "PermitEmptyPasswords no"
|
||||
validate: sshd -t -f %s
|
||||
notify:
|
||||
- validate sshd
|
||||
- reload sshd
|
||||
@@ -42,7 +40,6 @@
|
||||
path: "{{ cis_ssh_dropin_path }}"
|
||||
regexp: '^PasswordAuthentication\s+'
|
||||
line: "PasswordAuthentication {{ 'no' if cis_disable_password_auth | bool else 'yes' }}"
|
||||
validate: sshd -t -f %s
|
||||
notify:
|
||||
- validate sshd
|
||||
- reload sshd
|
||||
@@ -52,7 +49,6 @@
|
||||
path: "{{ cis_ssh_dropin_path }}"
|
||||
regexp: '^MaxAuthTries\s+'
|
||||
line: "MaxAuthTries {{ cis_ssh_max_auth_tries }}"
|
||||
validate: sshd -t -f %s
|
||||
notify:
|
||||
- validate sshd
|
||||
- reload sshd
|
||||
@@ -62,7 +58,6 @@
|
||||
path: "{{ cis_ssh_dropin_path }}"
|
||||
regexp: '^LoginGraceTime\s+'
|
||||
line: "LoginGraceTime {{ cis_ssh_login_grace_time }}"
|
||||
validate: sshd -t -f %s
|
||||
notify:
|
||||
- validate sshd
|
||||
- reload sshd
|
||||
@@ -72,7 +67,6 @@
|
||||
path: "{{ cis_ssh_dropin_path }}"
|
||||
regexp: '^ClientAliveInterval\s+'
|
||||
line: "ClientAliveInterval {{ cis_ssh_client_alive_interval }}"
|
||||
validate: sshd -t -f %s
|
||||
notify:
|
||||
- validate sshd
|
||||
- reload sshd
|
||||
@@ -82,7 +76,6 @@
|
||||
path: "{{ cis_ssh_dropin_path }}"
|
||||
regexp: '^ClientAliveCountMax\s+'
|
||||
line: "ClientAliveCountMax {{ cis_ssh_client_alive_count_max }}"
|
||||
validate: sshd -t -f %s
|
||||
notify:
|
||||
- validate sshd
|
||||
- reload sshd
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
---
|
||||
- name: Apply CIS-inspired sysctl settings
|
||||
- name: Apply selected sysctl settings
|
||||
ansible.posix.sysctl:
|
||||
name: "{{ item.key }}"
|
||||
value: "{{ item.value }}"
|
||||
|
||||
Reference in New Issue
Block a user