portfolio/enterprise-infra-simulator/roles/hardening/defaults/main.yml

---
# Hardening configuration
cis_level: 1
disable_root_login: true
secure_ssh_config: true
firewall_policy: deny
auditd_enabled: true
selinux_mode: enforcing
apparmor_enabled: true

# SSH Hardening
ssh_max_auth_tries: 3
ssh_client_alive_interval: 300
ssh_client_alive_count_max: 2

# Firewall rules for SSH (trusted networks)
ssh_allowed_networks:
  - 10.0.0.0/8
  - 172.16.0.0/12
  - 192.168.0.0/16

# Services to disable
unnecessary_services:
  - cups
  - avahi-daemon
  - bluetooth
  - nfs-server
  - rpcbind

# Packages to remove
unnecessary_packages:
  - telnet
  - rsh-client
  - talk
  - ntalk