From deb12a0b4f5ef6ff4cd29317bf4eba95d2d6b60c Mon Sep 17 00:00:00 2001 From: Mateusz Suski Date: Wed, 6 May 2026 09:25:43 +0000 Subject: [PATCH] Update docs for Ansible hardening roles --- CHANGELOG.md | 19 +++++++++++++++++++ README.md | 8 ++++++++ infra-run/README.md | 11 +++++++++-- infra-run/ansible/README.md | 21 ++++++++++++++------- infra-run/ansible/inventory/README.md | 11 +++++++++-- infra-run/ansible/playbooks/README.md | 8 +++++--- infra-run/ansible/roles/README.md | 15 ++++++++++++--- 7 files changed, 76 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f541b30..0bbf1da 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,24 @@ # Changelog +## [Unreleased] + +### Added + +- CIS-inspired Ansible hardening automation: + - RHEL 9 role and playbook. + - Debian 13 / Ubuntu 26.04 role and playbook. + - IBM AIX 7 role and playbook. +- Shared sanitized Ansible inventory defaults for Linux and AIX examples. +- Role-level task structure covering pre-checks, SSH, sudo, auditing, logging, services, filesystem controls, platform-specific settings, handlers, and post-check validation. + +### Changed + +- Updated repository, `infra-run`, and Ansible README files to describe the new hardening automation instead of placeholder-only Ansible structure. + +### Notes + +- Hardening content is CIS-inspired and intended for portfolio/lab use; production use requires environment-specific review and validation. + ## [Initial Version] ### Added diff --git a/README.md b/README.md index ed774c2..431776c 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,7 @@ flowchart TD B --> B2["docs"] B --> B3["runbooks"] B --> B4["scripts"] + B1 --> B11["hardening roles"] B4 --> B41["bash"] B4 --> B42["python"] C --> C1["storage"] @@ -65,6 +66,12 @@ Veritas VxVM and VCS storage expansion workflow covering new LUN detection, VxVM GPFS / IBM Spectrum Scale filesystem expansion workflow covering cluster validation, candidate disk discovery, NSD stanza planning, NSD creation, filesystem expansion, optional rebalance, post-checks, and change reporting. +### Ansible Hardening Toolkit + +[infra-run/ansible/](./infra-run/ansible/) + +CIS-inspired Ansible automation for repeatable operating system hardening across RHEL 9, Debian 13 / Ubuntu 26.04, and IBM AIX 7 targets. The roles are organized around pre-checks, configurable safeguards, SSH and sudo policy, auditing, logging, services, filesystem controls, platform-specific system settings, handlers, and post-change validation. + ## Repository Structure - `infra-run` - core operational automation, scripts, runbooks, and infrastructure operations examples. @@ -77,6 +84,7 @@ GPFS / IBM Spectrum Scale filesystem expansion workflow covering cluster validat - Pre-check, change, and post-check workflow. - Real-world scenarios, not tutorials. - Minimal but practical tooling. +- Configurable automation with sanitized defaults and explicit overrides. ## Notes diff --git a/infra-run/README.md b/infra-run/README.md index e150f91..3ceb54c 100644 --- a/infra-run/README.md +++ b/infra-run/README.md @@ -16,12 +16,19 @@ flowchart TD ## Scope -- `ansible` - placeholder structure for infrastructure automation and testing. +- `ansible` - infrastructure automation with CIS-inspired hardening roles and playbooks. - `docs` - supporting technical notes and written documentation. - `runbooks` - procedural operational guides. - `scripts` - executable tooling for operations and diagnostics. +## Current Automation + +- RHEL 9 CIS-inspired hardening role and playbook. +- Debian 13 / Ubuntu 26.04 CIS-inspired hardening role and playbook. +- IBM AIX 7 CIS-inspired hardening role and playbook. +- Shared sanitized inventory defaults for Linux and AIX examples. + ## Notes - This folder reflects the structure of a production-oriented operations repository. -- Current implementation is strongest in the Bash tooling under `scripts/bash`. +- Current implementation includes Bash operational toolkits and Ansible hardening automation. diff --git a/infra-run/ansible/README.md b/infra-run/ansible/README.md index 895ada9..757c943 100644 --- a/infra-run/ansible/README.md +++ b/infra-run/ansible/README.md @@ -1,6 +1,6 @@ # infra-run/ansible -This directory reserves the Ansible automation area for future infrastructure-as-code content. It is organized around the standard separation of inventory, roles, playbooks, collections, and tests. +This directory contains Ansible automation for infrastructure operations and OS hardening. It is organized around the standard separation of inventory, roles, playbooks, collections, and tests. ## Diagram @@ -17,13 +17,20 @@ flowchart TD ## Scope -- `collections` - vendored or custom Ansible collections. -- `inventory` - environment inventory definitions and variables. -- `playbooks` - executable playbooks for repeatable operations. -- `roles` - reusable automation roles. +- `collections` - collection requirements for supported automation targets. +- `inventory` - sanitized Linux and AIX inventory examples with shared defaults. +- `playbooks` - executable CIS-inspired hardening playbooks. +- `roles` - reusable hardening roles for supported operating systems. - `tests` - validation and test harnesses for Ansible content. +## Hardening Coverage + +- `cis-rhel9-hardening` - RHEL 9 baseline tasks for packages, services, SSH, sudo, sysctl, auditing, logging, filesystem controls, and validation. +- `cis-debian-ubuntu-hardening` - Debian 13 and Ubuntu 26.04 baseline tasks for apt packages, services, SSH, sudo, sysctl, auditing, logging, filesystem controls, and validation. +- `cis-aix7-hardening` - IBM AIX 7 baseline tasks for SSH, sudo, audit, logging, cron, users, password policy, network settings, filesystem controls, services, and validation. + ## Notes -- The directory layout is already prepared for growth even where content is still placeholder-only. -- This keeps the repository ready for automation expansion alongside the existing script toolkits. +- Roles are CIS-inspired examples intended for portfolio and lab use, not a drop-in compliance certification. +- Defaults are sanitized and configurable through inventory or `--extra-vars`. +- Run platform-specific playbooks against appropriate test hosts before adapting them to production environments. diff --git a/infra-run/ansible/inventory/README.md b/infra-run/ansible/inventory/README.md index d9df4c6..662ef9b 100644 --- a/infra-run/ansible/inventory/README.md +++ b/infra-run/ansible/inventory/README.md @@ -16,8 +16,15 @@ flowchart TD - `group_vars` - variables applied at group or environment level. - `host_vars` - variables tailored to individual nodes. +- `hosts.yml` - sanitized example groups for Linux and AIX hardening targets. + +## Current Inventory Shape + +- `linux` - local example host for Linux hardening playbooks. +- `aix` - empty sanitized group ready for AIX host definitions. +- `group_vars/all.yml` - shared hardening defaults such as NTP servers, SSH behavior, audit/logging toggles, sysctl hardening, and optional mount management. ## Notes -- The structure is present even though the repository currently keeps this area sanitized and mostly empty. -- This is the natural companion to future playbooks and roles under `infra-run/ansible`. +- Inventory values are intentionally sanitized. +- Override defaults per host, per group, or per run before applying any hardening playbook. diff --git a/infra-run/ansible/playbooks/README.md b/infra-run/ansible/playbooks/README.md index 9281ecc..9d4f6c9 100644 --- a/infra-run/ansible/playbooks/README.md +++ b/infra-run/ansible/playbooks/README.md @@ -1,6 +1,6 @@ # infra-run/ansible/playbooks -This directory is intended for executable Ansible playbooks that coordinate roles, inventories, and operational tasks. In the current portfolio state it acts as a prepared entry point for future automation runs. +This directory contains executable Ansible playbooks that coordinate roles, inventories, and operational hardening tasks. ## Diagram @@ -14,5 +14,7 @@ flowchart TD ## Notes -- Playbooks belong here when the repository expands beyond script-first operations. -- The directory currently contains only placeholder content. +- `cis-rhel9-hardening.yml` applies the RHEL 9 CIS-inspired hardening role to Linux inventory targets. +- `cis-debian-ubuntu-hardening.yml` applies the Debian 13 / Ubuntu 26.04 CIS-inspired hardening role to Linux inventory targets. +- `cis-aix7-hardening.yml` applies the IBM AIX 7 CIS-inspired hardening role to AIX inventory targets. +- Use the sanitized inventory under `../inventory/` as a starting point and override defaults per environment. diff --git a/infra-run/ansible/roles/README.md b/infra-run/ansible/roles/README.md index 9e3c05a..45e9b28 100644 --- a/infra-run/ansible/roles/README.md +++ b/infra-run/ansible/roles/README.md @@ -1,6 +1,6 @@ # infra-run/ansible/roles -This folder is reserved for reusable Ansible roles. Roles make it possible to organize configuration logic into predictable, testable units that can be shared across playbooks. +This folder contains reusable Ansible roles. Roles organize configuration logic into predictable, testable units that can be shared across playbooks. ## Diagram @@ -10,9 +10,18 @@ flowchart TD A --> C["monitoring"] A --> D["storage"] A --> E["security"] + E --> E1["cis-rhel9-hardening"] + E --> E2["cis-debian-ubuntu-hardening"] + E --> E3["cis-aix7-hardening"] ``` +## Current Roles + +- `cis-rhel9-hardening` - CIS-inspired RHEL 9 baseline with package, service, SSH, sudo, sysctl, audit, logging, filesystem, and validation tasks. +- `cis-debian-ubuntu-hardening` - CIS-inspired Debian 13 and Ubuntu 26.04 baseline with apt, service, SSH, sudo, sysctl, audit, logging, filesystem, and validation tasks. +- `cis-aix7-hardening` - CIS-inspired IBM AIX 7 baseline with SSH, sudo, audit, logging, cron, user, password, network, filesystem, service, and validation tasks. + ## Notes -- The role layout is not yet populated, but the structure is in place for future automation modules. -- Keeping a README here documents intent even before role code exists. +- Each role includes defaults, task includes, handlers where needed, and role-specific README guidance. +- The hardening content is sanitized for portfolio use and should be reviewed against site policy before production use.