π‘οΈ Section 4: Securing the Host OS¶
π― Objective¶
This section walks through hardening the Ubuntu 22.04 LTS host to meet the foundational system-level security expectations of CMMC Level 2. All configurations are managed using Ansible, enabling repeatability, version control, and audit readiness.
βΉοΈ NOTE: This hardening role is executed automatically during the provisioning phase (see Section 3) via the
bootstrap.shscript included in the Terraform configuration. The secure baseline is applied during the first boot of the server. This section documents the tasks for audit clarity and allows for manual reapplication if needed.
𧱠Host Hardening Checklist¶
- Disable password-based SSH access
- Enforce key-based login with limited user privileges
- Remove unnecessary packages and services
- Configure local firewall rules (UFW)
- Enforce strong password policies
- Enable system auditing (
auditd) - Install file integrity monitoring (
AIDE) - Apply system banners (AC.3.017)
- Schedule automatic security updates
π Step-by-Step with Ansible¶
All tasks are included in the role roles/harden_ubuntu/. Here's a breakdown:
π 1. Disable Root Login and Enforce SSH Keys¶
- name: Disable root login over SSH
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
- name: Disable password authentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PasswordAuthentication'
line: 'PasswordAuthentication no'
π§― 2. Install & Configure UFW Firewall¶
- name: Install UFW
apt:
name: ufw
state: present
- name: Enable UFW with default deny
ufw:
state: enabled
policy: deny
Then explicitly allow needed ports:
- ufw:
rule: allow
port: "22"
proto: tcp
π 3. Configure Password Policies¶
- name: Set password complexity
lineinfile:
path: /etc/security/pwquality.conf
regexp: '^minlen'
line: 'minlen = 14'
Add login lockout:
- name: Lock out after 5 failed attempts
lineinfile:
path: /etc/pam.d/common-auth
line: 'auth required pam_tally2.so deny=5 onerr=fail unlock_time=900'
create: yes
π 4. Configure Login Banners¶
- name: Create login banner
copy:
content: |
WARNING: This system is monitored and access is restricted to authorized users.
Unauthorized access may result in disciplinary or legal action.
dest: /etc/issue.net
- name: Enable banner in sshd
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Banner'
line: 'Banner /etc/issue.net'
π 5. Enable Auditd and AIDE¶
- name: Install auditd and AIDE
apt:
name:
- auditd
- aide
state: present
- name: Initialize AIDE DB
command: aideinit
args:
creates: /var/lib/aide/aide.db.gz
π 6. Enable Automatic Updates¶
- name: Install unattended-upgrades
apt:
name: unattended-upgrades
state: present
- name: Enable periodic security updates
copy:
dest: /etc/apt/apt.conf.d/20auto-upgrades
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
β CMMC Practices Addressed¶
| CMMC Practice | Purpose |
|---|---|
| AC.1.001 | Enforces user authentication boundaries |
| AC.3.017 | Displays warning banners |
| CM.2.062 | Applies baseline hardening |
| SI.1.210 | Enables audit and log generation |
| SI.3.219 | Supports detection of unauthorized changes |
π Notes¶
- All hardening actions should be tested in a staging environment
- Logs from
auditdand UFW should be forwarded to the SIEM layer (Wazuh or other) - Password rules may be extended to include history and character diversity requirements
βΆοΈ Next Step¶
With the base system secured, youβre ready to deploy Identity & Access Management using Keycloak and Tailscale in Section 5.