mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8bd3ff768e6643c195cdaea4a3489d61d7a1eaa6
portfolio/enterprise-infra-simulator/roles/hardening/README.md
T
Mateusz Suski 78bcfce43a
ci / validate (push) Failing after 2m0s
Details
Refactor Ansible playbooks to comply with best practices and fix linting violations 
- Implement 4-role architecture (base_provision, patching, hardening, decommission)
- Extract hardcoded values to role defaults and group_vars
- Add Ansible Vault integration for secrets management
- Implement proper handlers for service restarts instead of direct tasks
- Add Molecule testing framework with Docker driver
- Configure ansible-lint with production profile settings

Fix all 125+ ansible-lint violations:
- Add FQCN (Fully Qualified Collection Names) to all modules
- Replace yes/no with true/false for boolean values
- Add explicit mode parameters to file/template operations
- Remove duplicate post_tasks blocks from playbooks
- Add newlines at end of all YAML files
- Fix key ordering in tasks (name, when, block)
- Convert service restarts to handlers with notify
- Remove ignore_errors in favor of failed_when/changed_when
- Fix line length violations and empty lines
- Add noqa comments for unavoidable risky-file-permissions

Update documentation:
- Add REFACTORING.md with implementation details
- Add VAULT_GUIDE.md for secrets management
- Add per-role README.md files
- Update existing documentation

All playbooks now pass ansible-lint production profile with 0 violations.
2026-05-04 09:13:25 +00:00

1.5 KiB
Raw Blame History

Hardening Role

Apply security hardening to enterprise infrastructure nodes following CIS benchmarks.

Features

  • CIS Compliance: Support for CIS hardening levels 1 and 2
  • SSH Hardening: Disable root login, password auth, set auth limits
  • Firewall Configuration: UFW with configurable rules
  • Service Cleanup: Disable unnecessary services and remove insecure packages
  • Handlers: SSH restarts via handlers

Role Variables

See defaults/main.yml for all available variables.

Key Variables

  • cis_level: CIS hardening level (1 or 2)
  • disable_root_login: Disable root SSH login (default: true)
  • secure_ssh_config: Apply SSH security hardening (default: true)
  • firewall_policy: Firewall default policy (default: deny)
  • ssh_max_auth_tries: Maximum SSH authentication attempts (default: 3)
  • ssh_client_alive_interval: SSH client alive interval in seconds (default: 300)
  • ssh_allowed_networks: Networks allowed SSH access from

SSH Allowed Networks

Default trusted networks:

  • 10.0.0.0/8 (Private Class A)
  • 172.16.0.0/12 (Private Class B)
  • 192.168.0.0/16 (Private Class C)

Usage

- role: hardening
  vars:
    cis_level: 1
    disable_root_login: true
    ssh_allowed_networks:
      - 10.0.0.0/8
      - 203.0.113.0/24

SSH Configuration Changes

  • Root login disabled
  • Password authentication disabled
  • Maximum auth tries: 3
  • Empty passwords prohibited
  • Client alive interval: 300 seconds
  • Client alive count max: 2

Tags

  • hardening: All hardening tasks
  • security: Security-related tasks
Reference in New Issue View Git Blame Copy Permalink