# Hardening Role

Apply security hardening to enterprise infrastructure nodes following CIS benchmarks.

## Features

- **CIS Compliance**: Support for CIS hardening levels 1 and 2
- **SSH Hardening**: Disable root login, password auth, set auth limits
- **Firewall Configuration**: UFW with configurable rules
- **Service Cleanup**: Disable unnecessary services and remove insecure packages
- **Handlers**: SSH restarts via handlers

## Role Variables

See `defaults/main.yml` for all available variables.

### Key Variables

- `cis_level`: CIS hardening level (1 or 2)
- `disable_root_login`: Disable root SSH login (default: true)
- `secure_ssh_config`: Apply SSH security hardening (default: true)
- `firewall_policy`: Firewall default policy (default: deny)
- `ssh_max_auth_tries`: Maximum SSH authentication attempts (default: 3)
- `ssh_client_alive_interval`: SSH client alive interval in seconds (default: 300)
- `ssh_allowed_networks`: Networks allowed SSH access from

### SSH Allowed Networks

Default trusted networks:
- 10.0.0.0/8 (Private Class A)
- 172.16.0.0/12 (Private Class B)
- 192.168.0.0/16 (Private Class C)

## Usage

```yaml
- role: hardening
  vars:
    cis_level: 1
    disable_root_login: true
    ssh_allowed_networks:
      - 10.0.0.0/8
      - 203.0.113.0/24
```

## SSH Configuration Changes

- Root login disabled
- Password authentication disabled
- Maximum auth tries: 3
- Empty passwords prohibited
- Client alive interval: 300 seconds
- Client alive count max: 2

## Tags

- `hardening`: All hardening tasks
- `security`: Security-related tasks