mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ca5a876d03049ff6647a8903f5a0d718ef7ca769
portfolio/infra-run/ansible/roles/cis-debian-ubuntu-hardening/README.md
T
Mateusz Suski ca5a876d03
lint / shell-yaml-ansible (push) Failing after 21s
Details
Improve infra-run portfolio credibility
2026-05-08 21:18:22 +00:00

91 lines
2.6 KiB
Markdown
Raw Blame History

# Debian And Ubuntu Baseline Hardening Role
This role applies a small, practical set of selected baseline operational hardening controls for Debian and Ubuntu servers. It is intentionally readable, conservative, and suitable as a baseline for managed environments that still need local review.
## Supported OS
- Debian 13 Trixie
- Ubuntu Server 26.04 LTS
Unsupported distributions and versions fail during precheck before hardening tasks run.
## Implemented Areas
- SSH daemon hardening through a managed drop-in and final `sshd -t` validation
- Legacy network package removal
- Optional installation and enablement of `auditd`, `chrony`, `rsyslog`, and `sudo`
- Kernel network sysctl hardening
- Basic audit rule examples, disabled by default
- Sudo `use_pty` and optional sudo logfile configuration
- Logging service checks without replacing existing logging configuration
- Filesystem mount option recommendations, disabled by default
## Safety Philosophy
The defaults are intended to be operationally safe:
- Check mode is supported.
- SSH password authentication remains enabled by default.
- Filesystem mount option management is disabled by default.
- Audit rules are not written unless explicitly enabled.
- Services are enabled only when the matching feature is enabled and the service exists.
- Existing logging configuration is not replaced.
This role does not implement the full CIS benchmark and is not a compliance certification implementation.
## Usage
Run in check mode first:
```bash
ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --check --diff
```
Apply the full baseline:
```bash
ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml
```
Run only selected areas:
```bash
ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags precheck,ssh,postcheck
ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags packages,services
ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags sudo,logging
```
## Key Variables
```yaml
cis_disable_root_login: true
cis_disable_password_auth: false
cis_install_auditd: true
cis_enable_chrony: true
cis_enable_rsyslog: true
cis_remove_legacy_packages: true
cis_enable_sysctl_hardening: true
cis_manage_mount_options: false
cis_manage_audit_rules: false
cis_ssh_max_auth_tries: 4
cis_ssh_login_grace_time: 60
cis_ssh_client_alive_interval: 300
cis_ssh_client_alive_count_max: 3
cis_sudo_use_pty: true
cis_sudo_logfile: /var/log/sudo.log
```
Enable audit rules only after reviewing the examples:
```yaml
cis_manage_audit_rules: true
```
Enable mount option persistence only after reviewing each filesystem target:
```yaml
cis_manage_mount_options: true
```
Reference in New Issue View Git Blame Copy Permalink