--- - name: Harden Enterprise Infrastructure Nodes hosts: all become: true gather_facts: true vars: cis_level: 1 disable_root_login: true secure_ssh_config: true firewall_policy: deny auditd_enabled: true selinux_mode: enforcing apparmor_enabled: true tasks: - name: Include CIS hardening tasks include_tasks: tasks/cis_hardening.yml - name: Configure SSH hardening block: - name: Disable root SSH login lineinfile: path: /etc/ssh/sshd_config regexp: '^PermitRootLogin' line: 'PermitRootLogin no' when: disable_root_login - name: Disable password authentication lineinfile: path: /etc/ssh/sshd_config regexp: '^PasswordAuthentication' line: 'PasswordAuthentication no' - name: Set MaxAuthTries lineinfile: path: /etc/ssh/sshd_config regexp: '^MaxAuthTries' line: 'MaxAuthTries 3' - name: Disable empty passwords lineinfile: path: /etc/ssh/sshd_config regexp: '^PermitEmptyPasswords' line: 'PermitEmptyPasswords no' - name: Set ClientAliveInterval lineinfile: path: /etc/ssh/sshd_config regexp: '^ClientAliveInterval' line: 'ClientAliveInterval 300' - name: Set ClientAliveCountMax lineinfile: path: /etc/ssh/sshd_config regexp: '^ClientAliveCountMax' line: 'ClientAliveCountMax 2' notify: restart sshd - name: Configure firewall ufw: state: enabled policy: "{{ firewall_policy }}" rules: - rule: allow port: '22' proto: tcp from: 10.0.0.0/8 - rule: allow port: '22' proto: tcp from: 172.16.0.0/12 - rule: allow port: '22' proto: tcp from: 192.168.0.0/16 - name: Disable unnecessary services service: name: "{{ item }}" state: stopped enabled: no loop: - cups - avahi-daemon - bluetooth - nfs-server - rpcbind ignore_errors: true - name: Remove unnecessary packages apt: name: "{{ item }}" state: absent purge: yes loop: - telnet - rsh-client - talk - ntalk when: ansible_os_family == "Debian" ignore_errors: true - name: Configure auditd block: - name: Install auditd apt: name: auditd state: present when: ansible_os_family == "Debian" - name: Configure audit rules template: src: templates/audit.rules.j2 dest: /etc/audit/rules.d/hardening.rules - name: Enable auditd service service: name: auditd state: started enabled: yes when: auditd_enabled - name: Configure AppArmor block: - name: Install apparmor apt: name: apparmor state: present when: ansible_os_family == "Debian" - name: Enable apparmor service service: name: apparmor state: started enabled: yes when: apparmor_enabled and ansible_os_family == "Debian" - name: Configure sysctl hardening sysctl: name: "{{ item.key }}" value: "{{ item.value }}" state: present reload: yes loop: - { key: 'net.ipv4.ip_forward', value: '0' } - { key: 'net.ipv4.conf.all.send_redirects', value: '0' } - { key: 'net.ipv4.conf.default.send_redirects', value: '0' } - { key: 'net.ipv4.tcp_syncookies', value: '1' } - { key: 'net.ipv4.icmp_echo_ignore_broadcasts', value: '1' } - name: Set secure file permissions file: path: "{{ item }}" mode: '0644' owner: root group: root loop: - /etc/passwd - /etc/group - /etc/shadow - /etc/gshadow - name: Lock inactive user accounts command: usermod -L "{{ item }}" loop: "{{ inactive_users | default([]) }}" ignore_errors: true - name: Configure password policies pam_limits: domain: '*' limit_type: hard limit_item: nofile value: 1024 - name: Generate hardening report template: src: templates/hardening_report.j2 dest: "/var/log/hardening_report_{{ ansible_date_time.iso8601 }}.log" handlers: - name: restart sshd service: name: ssh state: restarted - name: restart auditd service: name: auditd state: restarted when: auditd_enabled post_tasks: - name: Run CIS compliance check command: > bash -c " score=0 total=0 echo 'CIS Compliance Check Results:' > /tmp/cis_check.log # Add CIS checks here echo 'Overall Score: $score/$total' >> /tmp/cis_check.log cat /tmp/cis_check.log " register: cis_check changed_when: false - name: Archive CIS results copy: content: "{{ cis_check.stdout }}" dest: "/var/log/cis_compliance_{{ ansible_date_time.iso8601 }}.log"