mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e851568c8c5c9528c616c96f3ed0a1332d8b5c09
portfolio/infra-run/ansible/roles/cis-debian-ubuntu-hardening
T
History
Mateusz Suski ca5a876d03
lint / shell-yaml-ansible (push) Failing after 21s
Details
Improve infra-run portfolio credibility
2026-05-08 21:18:22 +00:00
..
defaults
Add Debian 13 and Ubuntu 26.04 CIS-inspired hardening playbook
2026-05-06 08:56:45 +00:00
handlers
Add Debian 13 and Ubuntu 26.04 CIS-inspired hardening playbook
2026-05-06 08:56:45 +00:00
tasks
Improve infra-run portfolio credibility
2026-05-08 21:18:22 +00:00
README.md
Improve infra-run portfolio credibility
2026-05-08 21:18:22 +00:00

README.md

Debian And Ubuntu Baseline Hardening Role

This role applies a small, practical set of selected baseline operational hardening controls for Debian and Ubuntu servers. It is intentionally readable, conservative, and suitable as a baseline for managed environments that still need local review.

Supported OS

  • Debian 13 Trixie
  • Ubuntu Server 26.04 LTS

Unsupported distributions and versions fail during precheck before hardening tasks run.

Implemented Areas

  • SSH daemon hardening through a managed drop-in and final sshd -t validation
  • Legacy network package removal
  • Optional installation and enablement of auditd, chrony, rsyslog, and sudo
  • Kernel network sysctl hardening
  • Basic audit rule examples, disabled by default
  • Sudo use_pty and optional sudo logfile configuration
  • Logging service checks without replacing existing logging configuration
  • Filesystem mount option recommendations, disabled by default

Safety Philosophy

The defaults are intended to be operationally safe:

  • Check mode is supported.
  • SSH password authentication remains enabled by default.
  • Filesystem mount option management is disabled by default.
  • Audit rules are not written unless explicitly enabled.
  • Services are enabled only when the matching feature is enabled and the service exists.
  • Existing logging configuration is not replaced.

This role does not implement the full CIS benchmark and is not a compliance certification implementation.

Usage

Run in check mode first:

ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --check --diff

Apply the full baseline:

ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml

Run only selected areas:

ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags precheck,ssh,postcheck
ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags packages,services
ansible-playbook playbooks/cis-debian-ubuntu-hardening.yml --tags sudo,logging

Key Variables

cis_disable_root_login: true
cis_disable_password_auth: false
cis_install_auditd: true
cis_enable_chrony: true
cis_enable_rsyslog: true
cis_remove_legacy_packages: true
cis_enable_sysctl_hardening: true
cis_manage_mount_options: false
cis_manage_audit_rules: false

cis_ssh_max_auth_tries: 4
cis_ssh_login_grace_time: 60
cis_ssh_client_alive_interval: 300
cis_ssh_client_alive_count_max: 3

cis_sudo_use_pty: true
cis_sudo_logfile: /var/log/sudo.log

Enable audit rules only after reviewing the examples:

cis_manage_audit_rules: true

Enable mount option persistence only after reviewing each filesystem target:

cis_manage_mount_options: true
Reference in New Issue View Git Blame Copy Permalink