mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
portfolio/infra-run/ansible/roles/cis-rhel9-hardening
T
History
Mateusz Suski ca5a876d03
lint / shell-yaml-ansible (push) Failing after 21s
Details
Improve infra-run portfolio credibility
2026-05-08 21:18:22 +00:00
..
defaults
Add RHEL 9 CIS-inspired hardening playbook
2026-05-06 08:45:33 +00:00
handlers
Add RHEL 9 CIS-inspired hardening playbook
2026-05-06 08:45:33 +00:00
tasks
Improve infra-run portfolio credibility
2026-05-08 21:18:22 +00:00
vars
Add RHEL 9 CIS-inspired hardening playbook
2026-05-06 08:45:33 +00:00
README.md
Improve infra-run portfolio credibility
2026-05-08 21:18:22 +00:00

README.md

RHEL 9 Baseline Hardening Role

This role provides a practical, baseline hardening example for RHEL 9 and Oracle Linux 9 systems. It is inspired by hardening benchmark controls for Red Hat Enterprise Linux 9 version 2.0.0, but it is intentionally scoped to common operational controls that infrastructure and security operations teams frequently automate.

This is not a full compliance certification implementation.

Supported Platforms

  • Red Hat Enterprise Linux 9
  • Oracle Linux 9

The role fails safely on unsupported operating systems or unsupported major versions.

Implemented Controls

  • SSH daemon hardening for root login, empty passwords, password authentication, retry limits, login grace time, and client keepalive behavior.
  • Removal of selected legacy network packages such as telnet, rsh-server, and ypbind.
  • Optional installation and enablement of chrony, auditd, and rsyslog.
  • Selected IPv4 network sysctl settings.
  • Service enablement for chronyd, auditd, and rsyslog.
  • Safe disabling of known legacy services when they are present.
  • Basic audit backlog and audit rule examples.
  • Sudo defaults for use_pty and a configurable sudo logfile.
  • Rsyslog service validation and journald configuration presence checks.
  • Optional filesystem mount option persistence for selected paths.

Safety Philosophy

The defaults are conservative. The role supports Ansible check mode and avoids destructive live-system behavior by default. Filesystem mount option management is disabled unless cis_manage_mount_options is explicitly enabled, and even then the role persists configured options without remounting live filesystems.

Review variables before adapting this role to managed hosts.

Common Variables

cis_disable_root_login: true
cis_disable_password_auth: false
cis_install_auditd: true
cis_enable_chrony: true
cis_enable_rsyslog: true
cis_remove_legacy_packages: true
cis_enable_sysctl_hardening: true
cis_manage_mount_options: false

Check Mode

Run a full safety preview:

ansible-playbook playbooks/cis-rhel9-hardening.yml --check --diff

Run only SSH controls in check mode:

ansible-playbook playbooks/cis-rhel9-hardening.yml --check --diff --tags ssh

Tags

Useful tags include:

  • precheck
  • packages
  • ssh
  • sysctl
  • services
  • audit
  • sudo
  • logging
  • filesystem
  • postcheck

Example:

ansible-playbook playbooks/cis-rhel9-hardening.yml --tags precheck,ssh,postcheck

Rollout Notes

This role is a hardening starting point for internal infrastructure teams. It should be reviewed against local access patterns, break-glass procedures, compliance requirements, monitoring expectations, and host build standards before rollout.

Reference in New Issue View Git Blame Copy Permalink