{"id":17151457,"url":"https://github.com/stefancrain/securing-linux","last_synced_at":"2025-08-02T15:09:12.437Z","repository":{"id":46622218,"uuid":"287338494","full_name":"stefancrain/Securing-Linux","owner":"stefancrain","description":"We like to build and use devices connected to the internet. That shouldn't keep us up at night.","archived":false,"fork":false,"pushed_at":"2021-10-03T13:53:56.000Z","size":117,"stargazers_count":9,"open_issues_count":0,"forks_count":3,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-13T12:05:50.658Z","etag":null,"topics":["ansible","baseline","benchmark","centos","cis-benchmark","debian","docker","hardening","linux","redhat","review","rhel","security-hardening","ubuntu","vagrant","vault"],"latest_commit_sha":null,"homepage":"","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stefancrain.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null},"funding":{"github":["stefancrain"]}},"created_at":"2020-08-13T17:16:42.000Z","updated_at":"2022-05-22T11:42:04.000Z","dependencies_parsed_at":"2022-09-23T02:50:50.800Z","dependency_job_id":null,"html_url":"https://github.com/stefancrain/Securing-Linux","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stefancrain%2FSecuring-Linux","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stefancrain%2FSecuring-Linux/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stefancrain%2FSecuring-Linux/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stefancrain%2FSecuring-Linux/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stefancrain","download_url":"https://codeload.github.com/stefancrain/Securing-Linux/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248710435,"owners_count":21149190,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","baseline","benchmark","centos","cis-benchmark","debian","docker","hardening","linux","redhat","review","rhel","security-hardening","ubuntu","vagrant","vault"],"created_at":"2024-10-14T21:38:05.181Z","updated_at":"2025-04-13T12:06:17.521Z","avatar_url":"https://github.com/stefancrain.png","language":"Jinja","funding_links":["https://github.com/sponsors/stefancrain"],"categories":[],"sub_categories":[],"readme":"# Securing Linux\n\nThis repo creates a usable Linux platform with adequately security for daily, non-production usage.\n\nTODO: add blurb about reasoning\n\nTODO: add blurb about workflow\n\nMake no mistake this set of playbooks are opinionated and come **without any express or implied warranty**.\n\n## Steps in security\n\n1. [Protect data with partitioning and encryption](./terraform/libvirt/ubuntu/cloud_init.yml)\n2. [Set useful base tools](./ansible/tasks/base.yml)\n3. [Restrict physical access](./ansible/tasks/physical_access.yml)\n4. [Restrict network access](./ansible/tasks/network_access.yml)\n5. [Track audit-worthy change events](./ansible/tasks/audit_tools.yml)\n\n## Reviewing hardening efforts\n\n### Audit programs\n\n- [jtesta/ssh-audit](https://github.com/jtesta/ssh-audit)\n- [CISOfy/lynis](https://github.com/CISOfy/lynis)\n- [future-architect/vuls](https://github.com/future-architect/vuls)\n\n### [Chef InSpec](https://docs.chef.io/inspec)\n\n- [dev-sec/linux-baseline](https://github.com/dev-sec/linux-baseline)\n- [dev-sec/linux-patch-baseline](https://github.com/dev-sec/linux-patch-baseline)\n- [dev-sec/ssh-baseline](https://github.com/dev-sec/ssh-baseline)\n- [dev-sec/cis-dil-benchmark](https://github.com/dev-sec/cis-dil-benchmark)\n- [dev-sec/cis-docker-benchmark](https://github.com/dev-sec/cis-docker-benchmark)\n- [dev-sec/cis-kubernetes-benchmark](https://github.com/dev-sec/cis-kubernetes-benchmark)\n- [vibrato/inspec-meltdownspectre](https://github.com/vibrato/inspec-meltdownspectre)\n\nSecurity hardening guides, best practices, checklists, benchmarks, tools and\nother resources. Help from :\n\n- [US DoD DISA Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs)](https://public.cyber.mil/stigs/)\n- [decalage2/awesome-security-hardening](https://github.com/decalage2/awesome-security-hardening)\n\n## Setting up for development\n\nThis project uses :\n- [Terraform](https://www.terraform.io/)\n  - [dmacvicar/terraform-provider-libvirt](https://github.com/dmacvicar/terraform-provider-libvirt) for local dev\n  - [aws](https://registry.terraform.io/providers/hashicorp/aws/latest) for remote dev\n- [Ansible](https://www.ansible.com/) for development and evaluation.\n- [Taskfile](./Taskfile.yml) contains most of the magic to get this project working.\n\n### Initializing the project\n\n```bash\nmake init\n```\n\n- Ansible-galaxy installs required public roles within [requirements.yml](requirements.yml)\n- Vagrant pulling down the most recent versions of the boxes currently configured.\n- Creating an [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) to protect sensitive data such as keys / passwords in an encrypted vault. An example decrypted file can be reviewed [vault-example.yml](inventory/group_vars/vault-example.yml), which will become [vault.yml](inventory/group_vars/vault.yml).\n\n### Encrypting and decrypting the vault\n\n```bash\nmake enc # encrypt vault.yml\nmake dec # decrypt vault.yml\n```\n\n### Creating the test VMs\n\n```bash\nmake build\nmake ping\n```\n\n- Vagrant creates test VMs\n- Vagrant takes snapshot of the state at _baseline_ to make iterative testing much faster\n\n### Managing the state of the VMs\n\n```bash\nmake start\nmake stop\nmake restore # restore baseline snapshot\nmake destroy # remove all traces\n```\n\n### Reviewing the baseline security official vagrant boxes\n\n```bash\nmake audit\n```\n\n### Running a hardening playbook\n\n```bash\nmake play\nmake audit\n```\n\n## Supported Operating Systems\n\n| OS        | Release                                                              |\n| :-------- | :------------------------------------------------------------------- |\n| Ubuntu    | [20.04 - Focal](https://app.vagrantup.com/bento/boxes/ubuntu-20.04)  |\n|           | [19.10 - Eoan](https://app.vagrantup.com/bento/boxes/ubuntu-19.10)   |\n|           | [18.04 - Bionic](https://app.vagrantup.com/bento/boxes/ubuntu-18.04) |\n|           | [16.04 - Xenial](https://app.vagrantup.com/bento/boxes/ubuntu-16.04) |\n| Debian    | [10 - Buster](https://app.vagrantup.com/bento/boxes/debian-10)       |\n|           | [9 - Stretch](https://app.vagrantup.com/bento/boxes/debian-9)        |\n|           | [8 - Jessie](https://app.vagrantup.com/bento/boxes/debian-8)         |\n| ArchLinux | [ArchLinux](https://app.vagrantup.com/archlinux/boxes/archlinux)     |\n| CentOS    | [8](https://app.vagrantup.com/bento/boxes/centos-8)                  |\n|           | [7](https://app.vagrantup.com/bento/boxes/centos-7)                  |\n\n## Work in progress : Supported Operating Systems\n\n| OS     | Release                                                              |\n| :----- | :------------------------------------------------------------------- |\n| Ubuntu | [20.10 - Groovy](https://app.vagrantup.com/ubuntu/boxes/groovy64)    |\n|        | [14.04 - Trusty](https://app.vagrantup.com/bento/boxes/ubuntu-14.04) |\n| CentOS | [6](https://app.vagrantup.com/bento/boxes/centos-6)                  |\n| RHEL   | [8](https://app.vagrantup.com/roboxes/boxes/rhel8)                   |\n|        | [7](https://app.vagrantup.com/roboxes/boxes/rhel7)                   |\n|        | [6](https://app.vagrantup.com/roboxes/boxes/rhel6)                   |\n\n\n# https://github.com/mitogen-hq/mitogen/archive/v0.3.0-rc.0.tar.gz\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstefancrain%2Fsecuring-linux","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstefancrain%2Fsecuring-linux","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstefancrain%2Fsecuring-linux/lists"}