Update docs for Ansible hardening roles
This commit is contained in:
Mateusz Suski
@@ -1,5 +1,24 @@
|
|||||||
# Changelog
|
# Changelog
|
||||||
|
|
||||||
|
## [Unreleased]
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- CIS-inspired Ansible hardening automation:
|
||||||
|
- RHEL 9 role and playbook.
|
||||||
|
- Debian 13 / Ubuntu 26.04 role and playbook.
|
||||||
|
- IBM AIX 7 role and playbook.
|
||||||
|
- Shared sanitized Ansible inventory defaults for Linux and AIX examples.
|
||||||
|
- Role-level task structure covering pre-checks, SSH, sudo, auditing, logging, services, filesystem controls, platform-specific settings, handlers, and post-check validation.
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- Updated repository, `infra-run`, and Ansible README files to describe the new hardening automation instead of placeholder-only Ansible structure.
|
||||||
|
|
||||||
|
### Notes
|
||||||
|
|
||||||
|
- Hardening content is CIS-inspired and intended for portfolio/lab use; production use requires environment-specific review and validation.
|
||||||
|
|
||||||
## [Initial Version]
|
## [Initial Version]
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|||||||
@@ -13,6 +13,7 @@ flowchart TD
|
|||||||
B --> B2["docs"]
|
B --> B2["docs"]
|
||||||
B --> B3["runbooks"]
|
B --> B3["runbooks"]
|
||||||
B --> B4["scripts"]
|
B --> B4["scripts"]
|
||||||
|
B1 --> B11["hardening roles"]
|
||||||
B4 --> B41["bash"]
|
B4 --> B41["bash"]
|
||||||
B4 --> B42["python"]
|
B4 --> B42["python"]
|
||||||
C --> C1["storage"]
|
C --> C1["storage"]
|
||||||
@@ -65,6 +66,12 @@ Veritas VxVM and VCS storage expansion workflow covering new LUN detection, VxVM
|
|||||||
|
|
||||||
GPFS / IBM Spectrum Scale filesystem expansion workflow covering cluster validation, candidate disk discovery, NSD stanza planning, NSD creation, filesystem expansion, optional rebalance, post-checks, and change reporting.
|
GPFS / IBM Spectrum Scale filesystem expansion workflow covering cluster validation, candidate disk discovery, NSD stanza planning, NSD creation, filesystem expansion, optional rebalance, post-checks, and change reporting.
|
||||||
|
|
||||||
|
### Ansible Hardening Toolkit
|
||||||
|
|
||||||
|
[infra-run/ansible/](./infra-run/ansible/)
|
||||||
|
|
||||||
|
CIS-inspired Ansible automation for repeatable operating system hardening across RHEL 9, Debian 13 / Ubuntu 26.04, and IBM AIX 7 targets. The roles are organized around pre-checks, configurable safeguards, SSH and sudo policy, auditing, logging, services, filesystem controls, platform-specific system settings, handlers, and post-change validation.
|
||||||
|
|
||||||
## Repository Structure
|
## Repository Structure
|
||||||
|
|
||||||
- `infra-run` - core operational automation, scripts, runbooks, and infrastructure operations examples.
|
- `infra-run` - core operational automation, scripts, runbooks, and infrastructure operations examples.
|
||||||
@@ -77,6 +84,7 @@ GPFS / IBM Spectrum Scale filesystem expansion workflow covering cluster validat
|
|||||||
- Pre-check, change, and post-check workflow.
|
- Pre-check, change, and post-check workflow.
|
||||||
- Real-world scenarios, not tutorials.
|
- Real-world scenarios, not tutorials.
|
||||||
- Minimal but practical tooling.
|
- Minimal but practical tooling.
|
||||||
|
- Configurable automation with sanitized defaults and explicit overrides.
|
||||||
|
|
||||||
## Notes
|
## Notes
|
||||||
|
|
||||||
|
|||||||
+9
-2
@@ -16,12 +16,19 @@ flowchart TD
|
|||||||
|
|
||||||
## Scope
|
## Scope
|
||||||
|
|
||||||
- `ansible` - placeholder structure for infrastructure automation and testing.
|
- `ansible` - infrastructure automation with CIS-inspired hardening roles and playbooks.
|
||||||
- `docs` - supporting technical notes and written documentation.
|
- `docs` - supporting technical notes and written documentation.
|
||||||
- `runbooks` - procedural operational guides.
|
- `runbooks` - procedural operational guides.
|
||||||
- `scripts` - executable tooling for operations and diagnostics.
|
- `scripts` - executable tooling for operations and diagnostics.
|
||||||
|
|
||||||
|
## Current Automation
|
||||||
|
|
||||||
|
- RHEL 9 CIS-inspired hardening role and playbook.
|
||||||
|
- Debian 13 / Ubuntu 26.04 CIS-inspired hardening role and playbook.
|
||||||
|
- IBM AIX 7 CIS-inspired hardening role and playbook.
|
||||||
|
- Shared sanitized inventory defaults for Linux and AIX examples.
|
||||||
|
|
||||||
## Notes
|
## Notes
|
||||||
|
|
||||||
- This folder reflects the structure of a production-oriented operations repository.
|
- This folder reflects the structure of a production-oriented operations repository.
|
||||||
- Current implementation is strongest in the Bash tooling under `scripts/bash`.
|
- Current implementation includes Bash operational toolkits and Ansible hardening automation.
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
# infra-run/ansible
|
# infra-run/ansible
|
||||||
|
|
||||||
This directory reserves the Ansible automation area for future infrastructure-as-code content. It is organized around the standard separation of inventory, roles, playbooks, collections, and tests.
|
This directory contains Ansible automation for infrastructure operations and OS hardening. It is organized around the standard separation of inventory, roles, playbooks, collections, and tests.
|
||||||
|
|
||||||
## Diagram
|
## Diagram
|
||||||
|
|
||||||
@@ -17,13 +17,20 @@ flowchart TD
|
|||||||
|
|
||||||
## Scope
|
## Scope
|
||||||
|
|
||||||
- `collections` - vendored or custom Ansible collections.
|
- `collections` - collection requirements for supported automation targets.
|
||||||
- `inventory` - environment inventory definitions and variables.
|
- `inventory` - sanitized Linux and AIX inventory examples with shared defaults.
|
||||||
- `playbooks` - executable playbooks for repeatable operations.
|
- `playbooks` - executable CIS-inspired hardening playbooks.
|
||||||
- `roles` - reusable automation roles.
|
- `roles` - reusable hardening roles for supported operating systems.
|
||||||
- `tests` - validation and test harnesses for Ansible content.
|
- `tests` - validation and test harnesses for Ansible content.
|
||||||
|
|
||||||
|
## Hardening Coverage
|
||||||
|
|
||||||
|
- `cis-rhel9-hardening` - RHEL 9 baseline tasks for packages, services, SSH, sudo, sysctl, auditing, logging, filesystem controls, and validation.
|
||||||
|
- `cis-debian-ubuntu-hardening` - Debian 13 and Ubuntu 26.04 baseline tasks for apt packages, services, SSH, sudo, sysctl, auditing, logging, filesystem controls, and validation.
|
||||||
|
- `cis-aix7-hardening` - IBM AIX 7 baseline tasks for SSH, sudo, audit, logging, cron, users, password policy, network settings, filesystem controls, services, and validation.
|
||||||
|
|
||||||
## Notes
|
## Notes
|
||||||
|
|
||||||
- The directory layout is already prepared for growth even where content is still placeholder-only.
|
- Roles are CIS-inspired examples intended for portfolio and lab use, not a drop-in compliance certification.
|
||||||
- This keeps the repository ready for automation expansion alongside the existing script toolkits.
|
- Defaults are sanitized and configurable through inventory or `--extra-vars`.
|
||||||
|
- Run platform-specific playbooks against appropriate test hosts before adapting them to production environments.
|
||||||
|
|||||||
@@ -16,8 +16,15 @@ flowchart TD
|
|||||||
|
|
||||||
- `group_vars` - variables applied at group or environment level.
|
- `group_vars` - variables applied at group or environment level.
|
||||||
- `host_vars` - variables tailored to individual nodes.
|
- `host_vars` - variables tailored to individual nodes.
|
||||||
|
- `hosts.yml` - sanitized example groups for Linux and AIX hardening targets.
|
||||||
|
|
||||||
|
## Current Inventory Shape
|
||||||
|
|
||||||
|
- `linux` - local example host for Linux hardening playbooks.
|
||||||
|
- `aix` - empty sanitized group ready for AIX host definitions.
|
||||||
|
- `group_vars/all.yml` - shared hardening defaults such as NTP servers, SSH behavior, audit/logging toggles, sysctl hardening, and optional mount management.
|
||||||
|
|
||||||
## Notes
|
## Notes
|
||||||
|
|
||||||
- The structure is present even though the repository currently keeps this area sanitized and mostly empty.
|
- Inventory values are intentionally sanitized.
|
||||||
- This is the natural companion to future playbooks and roles under `infra-run/ansible`.
|
- Override defaults per host, per group, or per run before applying any hardening playbook.
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
# infra-run/ansible/playbooks
|
# infra-run/ansible/playbooks
|
||||||
|
|
||||||
This directory is intended for executable Ansible playbooks that coordinate roles, inventories, and operational tasks. In the current portfolio state it acts as a prepared entry point for future automation runs.
|
This directory contains executable Ansible playbooks that coordinate roles, inventories, and operational hardening tasks.
|
||||||
|
|
||||||
## Diagram
|
## Diagram
|
||||||
|
|
||||||
@@ -14,5 +14,7 @@ flowchart TD
|
|||||||
|
|
||||||
## Notes
|
## Notes
|
||||||
|
|
||||||
- Playbooks belong here when the repository expands beyond script-first operations.
|
- `cis-rhel9-hardening.yml` applies the RHEL 9 CIS-inspired hardening role to Linux inventory targets.
|
||||||
- The directory currently contains only placeholder content.
|
- `cis-debian-ubuntu-hardening.yml` applies the Debian 13 / Ubuntu 26.04 CIS-inspired hardening role to Linux inventory targets.
|
||||||
|
- `cis-aix7-hardening.yml` applies the IBM AIX 7 CIS-inspired hardening role to AIX inventory targets.
|
||||||
|
- Use the sanitized inventory under `../inventory/` as a starting point and override defaults per environment.
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
# infra-run/ansible/roles
|
# infra-run/ansible/roles
|
||||||
|
|
||||||
This folder is reserved for reusable Ansible roles. Roles make it possible to organize configuration logic into predictable, testable units that can be shared across playbooks.
|
This folder contains reusable Ansible roles. Roles organize configuration logic into predictable, testable units that can be shared across playbooks.
|
||||||
|
|
||||||
## Diagram
|
## Diagram
|
||||||
|
|
||||||
@@ -10,9 +10,18 @@ flowchart TD
|
|||||||
A --> C["monitoring"]
|
A --> C["monitoring"]
|
||||||
A --> D["storage"]
|
A --> D["storage"]
|
||||||
A --> E["security"]
|
A --> E["security"]
|
||||||
|
E --> E1["cis-rhel9-hardening"]
|
||||||
|
E --> E2["cis-debian-ubuntu-hardening"]
|
||||||
|
E --> E3["cis-aix7-hardening"]
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Current Roles
|
||||||
|
|
||||||
|
- `cis-rhel9-hardening` - CIS-inspired RHEL 9 baseline with package, service, SSH, sudo, sysctl, audit, logging, filesystem, and validation tasks.
|
||||||
|
- `cis-debian-ubuntu-hardening` - CIS-inspired Debian 13 and Ubuntu 26.04 baseline with apt, service, SSH, sudo, sysctl, audit, logging, filesystem, and validation tasks.
|
||||||
|
- `cis-aix7-hardening` - CIS-inspired IBM AIX 7 baseline with SSH, sudo, audit, logging, cron, user, password, network, filesystem, service, and validation tasks.
|
||||||
|
|
||||||
## Notes
|
## Notes
|
||||||
|
|
||||||
- The role layout is not yet populated, but the structure is in place for future automation modules.
|
- Each role includes defaults, task includes, handlers where needed, and role-specific README guidance.
|
||||||
- Keeping a README here documents intent even before role code exists.
|
- The hardening content is sanitized for portfolio use and should be reviewed against site policy before production use.
|
||||||
|
|||||||
Reference in New Issue
Block a user