Skip to content

Instantly share code, notes, and snippets.

@jezao

jezao/hardening.md

Last active November 8, 2020 16:48
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jezao/0e34f2937677804d4bd4cd2dda1ac124 to your computer and use it in GitHub Desktop.
Save jezao/0e34f2937677804d4bd4cd2dda1ac124 to your computer and use it in GitHub Desktop.
Download ZIP
Hardening server
Raw
hardening.md

Hardening Servers

The objective of this manual is to create a security standard in our infrastructure setup. For this guide, we will use the Chef Inspec to run our setup tests + Dev sec hardening framework automated with Ansible

Pre-requirements

Centos 7+ yum -y install ruby ruby-devel make gcc gcc-c++ git curl

Inspect We will inspect our server according to the framework specifications. This inspection can be customized, but at this time we will use the Linux baseline Centos7+

curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec \ 
&& git clone https://github.com/dev-sec/linux-baseline \   
&& inspec exec linux-baseline

You should see something like this:

Automated hardening

We will use the Dev-sec framework for Ansible to automate these settings. Centos7+ yum install -y ansible && ansible-galaxy install dev-sec.os-hardening

We have to build a playbook with the rules to be automatically changed. For now, we will use the default settings of dev-sec.os-hardening.

Create a file: foleon-playbook.yml

- hosts: localhost
  roles:
    - dev-sec.os-hardening

Execute the playbook:

ansible-playbook playbook.yml -f 10

Check results

Just execute the re-inspection command to check that everything has been executed as expected:

inspec exec linux-baseline

If you get something like that, we're safe!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment