# Debian And Ubuntu Baseline Hardening Role This role applies a small, practical set of selected baseline operational hardening controls for Debian and Ubuntu servers. It is intentionally readable, conservative, and suitable as a baseline for managed environments that still need local review. ## Supported OS - Debian 13 Trixie - Ubuntu Server 26.04 LTS Unsupported distributions and versions fail during precheck before hardening tasks run. ## Implemented Areas - SSH daemon hardening through a managed drop-in and final `sshd -t` validation - Legacy network package removal - Optional installation and enablement of `auditd`, `chrony`, `rsyslog`, and `sudo` - Kernel network sysctl hardening - Basic audit rule examples, disabled by default - Sudo `use_pty` and optional sudo logfile configuration - Logging service checks without replacing existing logging configuration - Filesystem mount option recommendations, disabled by default ## Safety Philosophy The defaults are intended to be operationally safe: - Check mode is supported. - SSH password authentication remains enabled by default. - Filesystem mount option management is disabled by default. - Audit rules are not written unless explicitly enabled. - Services are enabled only when the matching feature is enabled and the service exists. - Existing logging configuration is not replaced. This role does not implement the full CIS benchmark and is not a compliance certification implementation. ## Usage Run in check mode first: ```bash ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --check --diff ``` Apply the full baseline: ```bash ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml ``` Run only selected areas: ```bash ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags precheck,ssh,postcheck ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags packages,services ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags sudo,logging ``` ## Key Variables ```yaml cis_disable_root_login: true cis_disable_password_auth: false cis_install_auditd: true cis_enable_chrony: true cis_enable_rsyslog: true cis_remove_legacy_packages: true cis_enable_sysctl_hardening: true cis_manage_mount_options: false cis_manage_audit_rules: false cis_ssh_max_auth_tries: 4 cis_ssh_login_grace_time: 60 cis_ssh_client_alive_interval: 300 cis_ssh_client_alive_count_max: 3 cis_sudo_use_pty: true cis_sudo_logfile: /var/log/sudo.log ``` Enable audit rules only after reviewing the examples: ```yaml cis_manage_audit_rules: true ``` Enable mount option persistence only after reviewing each filesystem target: ```yaml cis_manage_mount_options: true ```