How to use Ansible for security hardening on RHEL 7 and CentOS 7 servers

My article Security hardening on CentOS 7, Red Hat Enterprise Linux 7 & Amazon Linux was seen by Red Hat guru Karoly Vegh, who helpfully suggested it would be a good idea to automate the process with Ansible.

So here in a repository on my GitHub are some Ansible playbooks and related support files that I’ve created, which can be used for hardening servers running RHEL 7, CentOS 7 and related Linux distributions such as Amazon Linux 2. With some tweaking these playbooks could be easily modified for use with Ubuntu, Debian and other types of distro.

To use these playbooks, check out the repo and you can run the playbooks in the Ansible_RHEL_CentOS_hardening folder with ansible-playbook in the usual way. They assume the target servers are defined in your Ansible inventory as centosservers, but of course you can modify that if needed.

Important notes

If SELinux is active on your server(s) it will probably interfere with these playbooks, so you have the choice to disable it if you wish in order to run these playbooks. These playbooks could be later improved by adding options to take SELinux into account, if active.

Before running harden_ssh.yml, if you have a firewall on the server(s) then ensure it’s set to allow SSH access on port 1022 (or whichever alternative port you’re using, if you’re using a different one) otherwise you may risk locking yourself out of the server.

The Ansible playbooks

  1. harden_ssh.yml should normally be run first. This adds SSH server security and it will change the port the SSH server is running on, so you’ll then want to add the connection variable ansible_port=1022 to your host definition(s) in your Ansible inventory before running the other playbooks.
  2. harden_os.yml is for the rest of the general server and OS hardening.
  3. harden_php_apache.yml can be run to harden PHP and Apache if you have those installed and running.

To get more information and details on what the playbooks are doing, refer back to my blog post which inspired them, as this describes the original manual process which has now been automated here with Ansible.

There are doubtless additional modifications and improvements which could be made to these playbooks, and anyone is of course free to clone the repository and make changes as desired.

If you require more assistance with server hardening, Ansible configuration, or any other infrastructure issues, feel free to have a look at my website for CETRE SysAdmin & DevOps where you can see what I do, how I work, and what testimonials I’ve received from clients who’ve used my services before.