Files

T

ci / validate (push) Failing after 1m8s

Details

Initial CV-aligned infrastructure portfolio

Rework portfolio around Linux operations, Zabbix monitoring, migration validation, and ELK/Grafana log observability.

Add AAP-style LVM resize workflow, Zabbix server/proxy/agent automation assets, Linux/AIX monitoring templates, and updated validation CI.

2026-05-04 17:37:24 +00:00

1.5 KiB

Raw Blame History

Hardening Role

Apply security hardening to enterprise infrastructure nodes following CIS benchmarks.

Features

CIS Compliance: Support for CIS hardening levels 1 and 2
SSH Hardening: Disable root login, password auth, set auth limits
Firewall Configuration: UFW with configurable rules
Service Cleanup: Disable unnecessary services and remove insecure packages
Handlers: SSH restarts via handlers

Role Variables

See defaults/main.yml for all available variables.

Key Variables

cis_level: CIS hardening level (1 or 2)
disable_root_login: Disable root SSH login (default: true)
secure_ssh_config: Apply SSH security hardening (default: true)
firewall_policy: Firewall default policy (default: deny)
ssh_max_auth_tries: Maximum SSH authentication attempts (default: 3)
ssh_client_alive_interval: SSH client alive interval in seconds (default: 300)
ssh_allowed_networks: Networks allowed SSH access from

SSH Allowed Networks

Default trusted networks:

10.0.0.0/8 (Private Class A)
172.16.0.0/12 (Private Class B)
192.168.0.0/16 (Private Class C)

Usage

- role: hardening
  vars:
    cis_level: 1
    disable_root_login: true
    ssh_allowed_networks:
      - 10.0.0.0/8
      - 203.0.113.0/24

SSH Configuration Changes

Root login disabled
Password authentication disabled
Maximum auth tries: 3
Empty passwords prohibited
Client alive interval: 300 seconds
Client alive count max: 2

1.5 KiB Raw Blame History