Update docs for Ansible hardening roles
This commit is contained in:
Mateusz Suski
+9
-2
@@ -16,12 +16,19 @@ flowchart TD
|
||||
|
||||
## Scope
|
||||
|
||||
- `ansible` - placeholder structure for infrastructure automation and testing.
|
||||
- `ansible` - infrastructure automation with CIS-inspired hardening roles and playbooks.
|
||||
- `docs` - supporting technical notes and written documentation.
|
||||
- `runbooks` - procedural operational guides.
|
||||
- `scripts` - executable tooling for operations and diagnostics.
|
||||
|
||||
## Current Automation
|
||||
|
||||
- RHEL 9 CIS-inspired hardening role and playbook.
|
||||
- Debian 13 / Ubuntu 26.04 CIS-inspired hardening role and playbook.
|
||||
- IBM AIX 7 CIS-inspired hardening role and playbook.
|
||||
- Shared sanitized inventory defaults for Linux and AIX examples.
|
||||
|
||||
## Notes
|
||||
|
||||
- This folder reflects the structure of a production-oriented operations repository.
|
||||
- Current implementation is strongest in the Bash tooling under `scripts/bash`.
|
||||
- Current implementation includes Bash operational toolkits and Ansible hardening automation.
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# infra-run/ansible
|
||||
|
||||
This directory reserves the Ansible automation area for future infrastructure-as-code content. It is organized around the standard separation of inventory, roles, playbooks, collections, and tests.
|
||||
This directory contains Ansible automation for infrastructure operations and OS hardening. It is organized around the standard separation of inventory, roles, playbooks, collections, and tests.
|
||||
|
||||
## Diagram
|
||||
|
||||
@@ -17,13 +17,20 @@ flowchart TD
|
||||
|
||||
## Scope
|
||||
|
||||
- `collections` - vendored or custom Ansible collections.
|
||||
- `inventory` - environment inventory definitions and variables.
|
||||
- `playbooks` - executable playbooks for repeatable operations.
|
||||
- `roles` - reusable automation roles.
|
||||
- `collections` - collection requirements for supported automation targets.
|
||||
- `inventory` - sanitized Linux and AIX inventory examples with shared defaults.
|
||||
- `playbooks` - executable CIS-inspired hardening playbooks.
|
||||
- `roles` - reusable hardening roles for supported operating systems.
|
||||
- `tests` - validation and test harnesses for Ansible content.
|
||||
|
||||
## Hardening Coverage
|
||||
|
||||
- `cis-rhel9-hardening` - RHEL 9 baseline tasks for packages, services, SSH, sudo, sysctl, auditing, logging, filesystem controls, and validation.
|
||||
- `cis-debian-ubuntu-hardening` - Debian 13 and Ubuntu 26.04 baseline tasks for apt packages, services, SSH, sudo, sysctl, auditing, logging, filesystem controls, and validation.
|
||||
- `cis-aix7-hardening` - IBM AIX 7 baseline tasks for SSH, sudo, audit, logging, cron, users, password policy, network settings, filesystem controls, services, and validation.
|
||||
|
||||
## Notes
|
||||
|
||||
- The directory layout is already prepared for growth even where content is still placeholder-only.
|
||||
- This keeps the repository ready for automation expansion alongside the existing script toolkits.
|
||||
- Roles are CIS-inspired examples intended for portfolio and lab use, not a drop-in compliance certification.
|
||||
- Defaults are sanitized and configurable through inventory or `--extra-vars`.
|
||||
- Run platform-specific playbooks against appropriate test hosts before adapting them to production environments.
|
||||
|
||||
@@ -16,8 +16,15 @@ flowchart TD
|
||||
|
||||
- `group_vars` - variables applied at group or environment level.
|
||||
- `host_vars` - variables tailored to individual nodes.
|
||||
- `hosts.yml` - sanitized example groups for Linux and AIX hardening targets.
|
||||
|
||||
## Current Inventory Shape
|
||||
|
||||
- `linux` - local example host for Linux hardening playbooks.
|
||||
- `aix` - empty sanitized group ready for AIX host definitions.
|
||||
- `group_vars/all.yml` - shared hardening defaults such as NTP servers, SSH behavior, audit/logging toggles, sysctl hardening, and optional mount management.
|
||||
|
||||
## Notes
|
||||
|
||||
- The structure is present even though the repository currently keeps this area sanitized and mostly empty.
|
||||
- This is the natural companion to future playbooks and roles under `infra-run/ansible`.
|
||||
- Inventory values are intentionally sanitized.
|
||||
- Override defaults per host, per group, or per run before applying any hardening playbook.
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# infra-run/ansible/playbooks
|
||||
|
||||
This directory is intended for executable Ansible playbooks that coordinate roles, inventories, and operational tasks. In the current portfolio state it acts as a prepared entry point for future automation runs.
|
||||
This directory contains executable Ansible playbooks that coordinate roles, inventories, and operational hardening tasks.
|
||||
|
||||
## Diagram
|
||||
|
||||
@@ -14,5 +14,7 @@ flowchart TD
|
||||
|
||||
## Notes
|
||||
|
||||
- Playbooks belong here when the repository expands beyond script-first operations.
|
||||
- The directory currently contains only placeholder content.
|
||||
- `cis-rhel9-hardening.yml` applies the RHEL 9 CIS-inspired hardening role to Linux inventory targets.
|
||||
- `cis-debian-ubuntu-hardening.yml` applies the Debian 13 / Ubuntu 26.04 CIS-inspired hardening role to Linux inventory targets.
|
||||
- `cis-aix7-hardening.yml` applies the IBM AIX 7 CIS-inspired hardening role to AIX inventory targets.
|
||||
- Use the sanitized inventory under `../inventory/` as a starting point and override defaults per environment.
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# infra-run/ansible/roles
|
||||
|
||||
This folder is reserved for reusable Ansible roles. Roles make it possible to organize configuration logic into predictable, testable units that can be shared across playbooks.
|
||||
This folder contains reusable Ansible roles. Roles organize configuration logic into predictable, testable units that can be shared across playbooks.
|
||||
|
||||
## Diagram
|
||||
|
||||
@@ -10,9 +10,18 @@ flowchart TD
|
||||
A --> C["monitoring"]
|
||||
A --> D["storage"]
|
||||
A --> E["security"]
|
||||
E --> E1["cis-rhel9-hardening"]
|
||||
E --> E2["cis-debian-ubuntu-hardening"]
|
||||
E --> E3["cis-aix7-hardening"]
|
||||
```
|
||||
|
||||
## Current Roles
|
||||
|
||||
- `cis-rhel9-hardening` - CIS-inspired RHEL 9 baseline with package, service, SSH, sudo, sysctl, audit, logging, filesystem, and validation tasks.
|
||||
- `cis-debian-ubuntu-hardening` - CIS-inspired Debian 13 and Ubuntu 26.04 baseline with apt, service, SSH, sudo, sysctl, audit, logging, filesystem, and validation tasks.
|
||||
- `cis-aix7-hardening` - CIS-inspired IBM AIX 7 baseline with SSH, sudo, audit, logging, cron, user, password, network, filesystem, service, and validation tasks.
|
||||
|
||||
## Notes
|
||||
|
||||
- The role layout is not yet populated, but the structure is in place for future automation modules.
|
||||
- Keeping a README here documents intent even before role code exists.
|
||||
- Each role includes defaults, task includes, handlers where needed, and role-specific README guidance.
|
||||
- The hardening content is sanitized for portfolio use and should be reviewed against site policy before production use.
|
||||
|
||||
Reference in New Issue
Block a user