mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2fd9c0b5ef57540bb6548c3d2832a8274121c718
portfolio/infra-run/ansible/roles/cis-rhel9-hardening
T
History

README.md

CIS-Inspired RHEL 9 Hardening Role

This role provides a practical, production-style hardening baseline for RHEL 9 and Oracle Linux 9 systems. It is inspired by CIS Benchmark controls for Red Hat Enterprise Linux 9 version 2.0.0, but it is intentionally scoped to common operational controls that infrastructure and security operations teams frequently automate.

This is not a full CIS certification implementation.

Supported Platforms

  • Red Hat Enterprise Linux 9
  • Oracle Linux 9

The role fails safely on unsupported operating systems or unsupported major versions.

Implemented Controls

  • SSH daemon hardening for root login, empty passwords, password authentication, retry limits, login grace time, and client keepalive behavior.
  • Removal of selected legacy network packages such as telnet, rsh-server, and ypbind.
  • Optional installation and enablement of chrony, auditd, and rsyslog.
  • CIS-inspired IPv4 network sysctl settings.
  • Service enablement for chronyd, auditd, and rsyslog.
  • Safe disabling of known legacy services when they are present.
  • Basic audit backlog and audit rule examples.
  • Sudo defaults for use_pty and a configurable sudo logfile.
  • Rsyslog service validation and journald configuration presence checks.
  • Optional filesystem mount option persistence for selected paths.

Safety Philosophy

The defaults are conservative. The role supports Ansible check mode and avoids destructive production behavior by default. Filesystem mount option management is disabled unless cis_manage_mount_options is explicitly enabled, and even then the role persists configured options without remounting live filesystems.

Review variables before using this role in production.

Common Variables

cis_disable_root_login: true
cis_disable_password_auth: false
cis_install_auditd: true
cis_enable_chrony: true
cis_enable_rsyslog: true
cis_remove_legacy_packages: true
cis_enable_sysctl_hardening: true
cis_manage_mount_options: false

Check Mode

Run a full safety preview:

ansible-playbook playbooks/cis-rhel9-hardening.yml --check --diff

Run only SSH controls in check mode:

ansible-playbook playbooks/cis-rhel9-hardening.yml --check --diff --tags ssh

Tags

Useful tags include:

  • precheck
  • packages
  • ssh
  • sysctl
  • services
  • audit
  • sudo
  • logging
  • filesystem
  • postcheck

Example:

ansible-playbook playbooks/cis-rhel9-hardening.yml --tags precheck,ssh,postcheck

Production Rollout Notes

This role is a hardening starting point for internal infrastructure teams. It should be reviewed against local access patterns, break-glass procedures, compliance requirements, monitoring expectations, and host build standards before rollout.

Reference in New Issue View Git Blame Copy Permalink