mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
deb12a0b4f5ef6ff4cd29317bf4eba95d2d6b60c
portfolio/infra-run/ansible/roles/cis-debian-ubuntu-hardening/README.md
T

2.6 KiB
Raw Blame History

CIS-Inspired Debian and Ubuntu Hardening

This role applies a small, practical set of CIS-inspired operational hardening controls for Debian and Ubuntu servers. It is intentionally readable, conservative, and suitable as a baseline for production environments that still need local review.

Supported OS

  • Debian 13 Trixie
  • Ubuntu Server 26.04 LTS

Unsupported distributions and versions fail during precheck before hardening tasks run.

Implemented Areas

  • SSH daemon hardening with a validated drop-in configuration
  • Legacy network package removal
  • Optional installation and enablement of auditd, chrony, rsyslog, and sudo
  • Kernel network sysctl hardening
  • Basic audit rule examples, disabled by default
  • Sudo use_pty and optional sudo logfile configuration
  • Logging service checks without replacing existing logging configuration
  • Filesystem mount option recommendations, disabled by default

Safety Philosophy

The defaults are intended to be operationally safe:

  • Check mode is supported.
  • SSH password authentication remains enabled by default.
  • Filesystem mount option management is disabled by default.
  • Audit rules are not written unless explicitly enabled.
  • Services are enabled only when the matching feature is enabled and the service exists.
  • Existing logging configuration is not replaced.

This role does not implement the full CIS benchmark and is not a CIS certification implementation.

Usage

Run in check mode first:

ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --check --diff

Apply the full baseline:

ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml

Run only selected areas:

ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags precheck,ssh,postcheck
ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags packages,services
ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags sudo,logging

Key Variables

cis_disable_root_login: true
cis_disable_password_auth: false
cis_install_auditd: true
cis_enable_chrony: true
cis_enable_rsyslog: true
cis_remove_legacy_packages: true
cis_enable_sysctl_hardening: true
cis_manage_mount_options: false
cis_manage_audit_rules: false

cis_ssh_max_auth_tries: 4
cis_ssh_login_grace_time: 60
cis_ssh_client_alive_interval: 300
cis_ssh_client_alive_count_max: 3

cis_sudo_use_pty: true
cis_sudo_logfile: /var/log/sudo.log

Enable audit rules only after reviewing the examples:

cis_manage_audit_rules: true

Enable mount option persistence only after reviewing each filesystem target:

cis_manage_mount_options: true
Reference in New Issue View Git Blame Copy Permalink