FilterHN

Ansible battle tested hardening for Linux, SSH, Nginx, MySQL

44 points

by walterbell

5 days ago

| past

| 4 comments

| github.com

| HN

▲

yjftsjthsd-h

4 hours ago

[-]

"battle tested" how? Widely deployed? Red teamed and shown to actually help?

▲

observationist

1 hour ago

[-]

They've got a red-team type process they apply repeatedly, you have to piece things together from the changelogs to get a grasp on what they're doing. They've built a positive feedback loop on which to iterate improvements in security, and bundled it in a way to be used effectively with Ansible.

They're following CIS guidelines, so if you're in a situation where that matters, it's probably a solid starting point for building things you need to have compliant and predictable. Could probably save weeks of effort, depending on the size of the team.

▲

TacticalCoder

1 hour ago

[-]

The Linux hardening list lists quite some modifications but what hardening is made to SSH compared to a stock config? For Linux they summarize the list of hardened changes but for SSH I couldn't find it.

For SSH it's basically a list of default values with a comment saying "change this if you must". Some summary as to what is hardened compared to a stock SSH install would be nice.

▲

observationist

1 hour ago

[-]

https://github.com/dev-sec/ansible-collection-hardening/blob...

The changelogs contain a summary of actions and changes, and full changelogs go into detail.

▲

Spivak

3 hours ago

[-]

These playbooks apply the CIS benchmarks, very very useful for compliance. I use them at $dayjob to build our base AMIs.

As for whether they actually harden your servers, that's up for you to decide if you think that CIS actually helps. It certainly does reduce attack surface.

▲

hackernudes

2 hours ago

[-]

Context: https://www.cisecurity.org/cis-benchmarks, https://www.cisecurity.org/about-us

"""The CIS Benchmarks® are prescriptive configuration recommendations for more than 25+ vendor product families. They represent the consensus-based effort of cybersecurity experts globally to help you protect your systems against threats more confidently."""

▲

wingmanjd

3 hours ago

[-]

At my $DAYJOB, we have a bunch in-house saltstack states for applying the CIS benchmarks for Ubuntu, Debian, and CentOS. I never looked into it, but I always wondered if I'd be allowed to publish them publicly.

▲

bhattisatish

1 hour ago

[-]

Well there is one available for oscap at https://github.com/ComplianceAsCode/content

▲

mhb

4 hours ago

[-]

What does this mean?

▲

ggm

1 hour ago

[-]

If you have compliance for contractual reasons (e/g you are the supply chain for an entity which has been declared to be a national-strategic service delivery) then this would probably help get you over the line to meet minimum proofs you have tried to comply with the obligations.

So, "what does this mean" is "it means you can tender to sell services to people who put CIS obligations in the contract"