Home 零对冲(ZeroHedge)每日HackerNews

适用于 Linux、SSH、Nginx、MySQL 的 Ansible 经验证的加固方案。
Ansible battle tested hardening for Linux, SSH, Nginx, MySQL

原始链接: https://github.com/dev-sec/ansible-collection-hardening

此集合为广泛的Linux发行版提供经过实战检验的安全加固,包括CentOS、AlmaLinux、Rocky Linux、Debian、Ubuntu、Amazon Linux、Arch Linux、Fedora和Suse。它还加固了流行的软件,如MySQL、MariaDB、Nginx和OpenSSH。 加固配置旨在与Inspec DevSec基线对齐,提供强大的安全基础。 以前独立的“角色”现在集成到此单个集合中,但旧版本仍可通过标签获得。 用户可以使用`ansible-galaxy collection install devsec.hardening`安装此集合。 详细示例和用法说明可在角色自述文件和Ansible文档中找到。 该项目是开源的,采用Apache 2.0许可,并欢迎贡献——提供了指南和变更日志。

## Ansible 加固集合总结 dev-sec 发布了一个新的 Ansible 集合,旨在简化 Linux 服务器加固,重点关注 SSH、Nginx 和 MySQL。该项目通过持续的红队测试和改进流程进行“实战检验”,主要基于 CIS(互联网安全中心)基准。 用户讨论了它在实现合规性方面的实用性,与手动配置相比,可能节省大量时间。虽然 Linux 加固更改有充分的文档记录,但 SSH 加固的细节最初并不明确,但提供了一个变更日志链接。 CIS 基准是由全球专家开发的规范性安全配置,可减少攻击面。一些用户已经使用类似工具(如 SaltStack)来应用 CIS 基准,并且 GitHub 上的 ComplianceAsCode 等资源提供了替代实现。该集合对于需要满足合同中 CIS 合规性要求的组织,尤其是在关键基础设施供应链中,可能特别有价值。
相关文章
原文

devsec.os_hardening devsec.os_hardening VM devsec.ssh_hardening devsec.ssh_hardening BSD devsec.ssh_hardening with custom tests devsec.nginx_hardening devsec.mysql_hardening

This collection provides battle tested hardening for:

  • Linux operating systems:
    • CentOS Stream 9
    • AlmaLinux 8/9/10
    • Rocky Linux 8/9/10
    • Debian 11/12/13
    • Ubuntu 20.04/22.04/24.04
    • Amazon Linux (some roles supported)
    • Arch Linux (some roles supported)
    • Fedora 39/40 (some roles supported)
    • Suse Tumbleweed (some roles supported)
  • MySQL
    • MariaDB >= 5.5.65, >= 10.1.45, >= 10.3.17
    • MySQL >= 5.7.31, >= 8.0.3
  • Nginx 1.0.16 or later
  • OpenSSH 5.3 and later

The hardening is intended to be compliant with the Inspec DevSec Baselines:

Looking for the old roles?

The roles are now part of the hardening-collection. We have kept the old releases of the os-hardening role in this repository, so you can find the them by exploring older tags. The last release of the standalone role was 6.2.0.

The other roles are in separate archives repositories:

Minimum required Ansible-version

In progress, not working:

Install the collection via ansible-galaxy:

ansible-galaxy collection install devsec.hardening

Please refer to the examples in the readmes of the role.

See Ansible Using collections for more details.

Contributing to this collection

See the contributor guideline.

See the changelog.

Todos:

General information:

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

联系我们 contact @ memedata.com