Ansible Collection - devsec.hardening

Description

This collection is designed to improve the security of:

• Linux operating systems:
  • CentOS 9
  • Rocky Linux 8/9
  • Debian 11/12
  • Ubuntu 20.04/22.04/24.04
  • Amazon Linux (some roles available)
  • Arch Linux (some roles available)
  • Fedora 39/40 (some roles available)
  • Suse Tumbleweed (some roles available)
• MySQL
  • MariaDB versions >= 5.5.65, >= 10.1.45, >= 10.3.17
  • MySQL versions >= 5.7.31, >= 8.0.3
• Nginx version 1.0.16 or later
• OpenSSH version 5.3 or later

This hardening process aligns with Inspec DevSec Baselines:

• https://github.com/dev-sec/linux-baseline
• https://github.com/dev-sec/mysql-baseline
• https://github.com/dev-sec/nginx-baseline
• https://github.com/dev-sec/ssh-baseline

Looking for old roles?

The previous roles are now included in the hardening collection. Old versions of the os-hardening role are still available in this repository; you can find them by checking older tags. The last standalone version was 6.2.0.

Other roles are in separate repositories:

• apache_hardening
• mysql_hardening
• nginx_hardening
• ssh_hardening
• windows_hardening

Minimum required Ansible version

• Ansible version >= 2.9.10

Included content

• os_hardening
• mysql_hardening
• nginx_hardening
• ssh_hardening

Currently in progress, not yet functional:

• apache_hardening
• windows_hardening

Installation

To install the collection, use ansible-galaxy:

ansible-galaxy collection install devsec.hardening

Using this collection

Refer to the examples in the role readme files for guidance.

For more details, see Ansible Using collections.

Contributing to this collection

Please check the contributor guideline.

Release notes

View the changelog.

Roadmap

Planned tasks:

• Continue working on apache_hardening and windows_hardening
• Add support for additional operating systems

More information

For general information:

• Ansible Collection overview
• Ansible User guide
• Ansible Developer guide
• Ansible Collections Checklist
• Ansible Community code of conduct
• The Bullhorn (the Ansible Contributor newsletter)
• Changes impacting Contributors

Licensing

This collection is licensed under the Apache License, Version 2.0 (the "License"). You cannot use this file except in compliance with the License. A copy of the License can be found at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software released under the License is provided "AS IS," without any guarantees or conditions of any kind. See the License for detailed information regarding permissions and limitations.