Skip to content

Phase 2: OS Hardening with Ansible

This phase configures the secure operating system baseline using Ansible. It applies hardened system defaults and prepares the host for rootless container deployment using Podman.

๐Ÿ›ก Phase 2 โ€“ OS Hardening with Ansible

Diagram showing OS hardening steps including UFW, auditd, AIDE, and role setup using Ansible

๐Ÿงฐ Tools Required

  • Ansible
  • SSH key access to provisioned VM(s)
  • Hardened role or playbook (custom or from dev-sec/ansible-collection-hardening)

๐Ÿ›ก๏ธ Security Controls Implemented

Control Area Control
Access Control (AC) SSH lockdown, sudo restrictions
System Integrity (SI) AIDE, auditd, tamper detection
Configuration Management (CM) Idempotent playbooks
Security Protection (SC) ufw, fail2ban, automatic updates

๐Ÿ“ Suggested Folder Layout

ansible/
โ”œโ”€โ”€ inventory/
โ”‚   โ””โ”€โ”€ hosts.ini
โ”œโ”€โ”€ playbooks/
โ”‚   โ””โ”€โ”€ hardening.yml
โ”œโ”€โ”€ roles/
โ”‚   โ””โ”€โ”€ hardening/

๐Ÿงช Sample playbooks/hardening.yml

- name: Apply hardening to base OS
  hosts: all
  become: yes
  roles:
    - role: hardening

โš™๏ธ What the Role Should Do

  • Disable root SSH access
  • Enable firewall (ufw)
  • Set minimum password complexity
  • Install & configure:
  • auditd
  • aide
  • fail2ban
  • unattended-upgrades

๐Ÿ“ Verification Tasks

  • Run aideinit and confirm baseline creation
  • Run auditctl -l and journalctl to confirm logs
  • Test fail2ban trigger via SSH login attempts

โœ… Output of This Phase

  • A hardened base system per CIS Level 1 guidance
  • Ansible inventory + role ready for future updates
  • Rootless podman installed and tested

โ†’ Proceed to Phase 3: Podman Service Deployment