A common guide line for security hardening is from the Center for Internet Security. They publish benchmark documents which you can download here: https://www.cisecurity.org/cis-benchmarks/
The bench marks are used as a guide to shut off unused or insecure services, remove extraneous packages, stop support for insecure file systems, and set up secure kernel parameters.
Once you set up a server and have gone through the hardening – you can continue to scan it via Ansible to keep it secure and from drifting out of sync
Role Detail MindPointGroup.RHEL7-CIS:
Configure RHEL/Centos 7 machine to be CIS compliant. Level 1 and 2 findings will be corrected by default.
This role will make changes to the system that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
https://galaxy.ansible.com/MindPointGroup/RHEL7-CIS/
I set it up as follows:
cd ~ansprod
mkdir CIS
cd CIS
vi requirements
I copied the requirements document they specified into ~ansprod/CIS/requrements.yml. It consited of the following:
- src: https://github.com/MindPointGroup/RHEL7-CIS.git
i then ran the following command to install it
ansible-galaxy install -p roles -r requirements.yml
Finally – I created the playbook:
~/ansible/CIS/main.yml –
- name: Harden Server
hosts: test
become: yes
roles:
- RHEL7-CIS
To run:
/usr/bin/ansible-playbook -i /home/ansprod/PLAYS/inv2 /home/ansprod/CIS/main.yml
where inv2 ( inventory file) looked like this:
[test]
lnyctomtest