# CIS-Inspired RHEL 9 Hardening Role This role provides a practical, production-style hardening baseline for RHEL 9 and Oracle Linux 9 systems. It is inspired by CIS Benchmark controls for Red Hat Enterprise Linux 9 version 2.0.0, but it is intentionally scoped to common operational controls that infrastructure and security operations teams frequently automate. This is not a full CIS certification implementation. ## Supported Platforms - Red Hat Enterprise Linux 9 - Oracle Linux 9 The role fails safely on unsupported operating systems or unsupported major versions. ## Implemented Controls - SSH daemon hardening for root login, empty passwords, password authentication, retry limits, login grace time, and client keepalive behavior. - Removal of selected legacy network packages such as telnet, rsh-server, and ypbind. - Optional installation and enablement of chrony, auditd, and rsyslog. - CIS-inspired IPv4 network sysctl settings. - Service enablement for chronyd, auditd, and rsyslog. - Safe disabling of known legacy services when they are present. - Basic audit backlog and audit rule examples. - Sudo defaults for `use_pty` and a configurable sudo logfile. - Rsyslog service validation and journald configuration presence checks. - Optional filesystem mount option persistence for selected paths. ## Safety Philosophy The defaults are conservative. The role supports Ansible check mode and avoids destructive production behavior by default. Filesystem mount option management is disabled unless `cis_manage_mount_options` is explicitly enabled, and even then the role persists configured options without remounting live filesystems. Review variables before using this role in production. ## Common Variables ```yaml cis_disable_root_login: true cis_disable_password_auth: false cis_install_auditd: true cis_enable_chrony: true cis_enable_rsyslog: true cis_remove_legacy_packages: true cis_enable_sysctl_hardening: true cis_manage_mount_options: false ``` ## Check Mode Run a full safety preview: ```bash ansible-playbook playbooks/cis-rhel9-hardening.yml --check --diff ``` Run only SSH controls in check mode: ```bash ansible-playbook playbooks/cis-rhel9-hardening.yml --check --diff --tags ssh ``` ## Tags Useful tags include: - `precheck` - `packages` - `ssh` - `sysctl` - `services` - `audit` - `sudo` - `logging` - `filesystem` - `postcheck` Example: ```bash ansible-playbook playbooks/cis-rhel9-hardening.yml --tags precheck,ssh,postcheck ``` ## Production Rollout Notes This role is a hardening starting point for internal infrastructure teams. It should be reviewed against local access patterns, break-glass procedures, compliance requirements, monitoring expectations, and host build standards before rollout.