# dev-sec/ansible-collection-hardening

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/dev-sec-ansible-collection-hardening).**

5,225 stars · 815 forks · Jinja · apache-2.0

## Links

- GitHub: https://github.com/dev-sec/ansible-collection-hardening
- Homepage: http://dev-sec.io/
- awesome-repositories: https://awesome-repositories.com/repository/dev-sec-ansible-collection-hardening.md

## Topics

`ansible` `ansible-collection` `collection` `devsec` `hacktoberfest` `hardening` `linux` `mysql-hardening` `nginx` `nginx-hardening` `os-hardening` `playbook` `protection` `role` `ssh-hardening` `sysctl`

## Description

This is an Ansible collection that automates security hardening for Linux operating systems, databases, web servers, and SSH services. It provides a declarative, modular architecture that enforces idempotent security configurations, ensuring that each task only applies changes when the current system state deviates from the desired security baseline.

The collection organizes security configurations into reusable Ansible roles, each targeting a specific system component. It includes roles for hardening OpenSSH with key-only authentication and disabled root login, securing MySQL and MariaDB installations with strong authentication and local binding, and configuring Nginx and Apache web servers by disabling server tokens and restricting cipher suites. The roles are designed to work across multiple Linux families, using distribution-specific conditionals and package managers.

The collection maps hardening tasks to established security standards such as CIS benchmarks, grouping controls into role-specific conditional logic. It generates configuration files from Jinja2 templates with variables, enabling customization across different Linux distributions without duplicating code. The final hardened state of a system is defined in YAML inventory variables, allowing Ansible to converge any machine toward that state through continuous application.

## Tags

### Software Engineering & Architecture

- [Ansible Collections](https://awesome-repositories.com/f/software-engineering-architecture/application-lifecycle-management/configuration-management/automation-and-templating-frameworks/ansible-collections.md) — An Ansible collection that automates security baselines for Linux systems, network services, and databases to reduce attack surfaces and enforce compliance.
- [System State Idempotency](https://awesome-repositories.com/f/software-engineering-architecture/idempotency-mechanisms/system-state-idempotency.md) — Ensures each Ansible task only applies changes when the current system state deviates from the desired security baseline, preventing repeated modifications.
- [Infrastructure State Enforcers](https://awesome-repositories.com/f/software-engineering-architecture/software-architecture/architectural-patterns/layering-presentation/state-management-patterns/declarative-state-managers/infrastructure-state-enforcers.md) — Defines the final hardened state of a system in YAML inventory variables, allowing Ansible to converge any machine toward that state through continuous application.

### Security & Cryptography

- [Linux Security Hardening](https://awesome-repositories.com/f/security-cryptography/security/infrastructure-and-hardware/infrastructure-system-hardening/linux-security-hardening.md) — Apply security hardening configurations to operating systems to meet compliance baselines, including user account restrictions and permission settings. ([source](http://dev-sec.io/baselines/windows))
- [Automated Hardening Playbooks](https://awesome-repositories.com/f/security-cryptography/security/infrastructure-and-hardware/infrastructure-system-hardening/linux-security-hardening/automated-hardening-playbooks.md) — Playbooks that configure kernel parameters, user accounts, file permissions, and audit settings for Linux distributions.
- [Database Server Hardening](https://awesome-repositories.com/f/security-cryptography/security/infrastructure-and-hardware/infrastructure-system-hardening/linux-security-hardening/database-server-hardening.md) — Enforce strong database authentication, remove default test databases, bind services to local sockets, and apply compliance baselines to secure database servers. ([source](http://dev-sec.io/baselines/mysql))
- [MySQL & MariaDB Hardening](https://awesome-repositories.com/f/security-cryptography/security/infrastructure-and-hardware/infrastructure-system-hardening/linux-security-hardening/database-server-hardening/mysql-mariadb-hardening.md) — Ansible tasks that remove anonymous accounts, set root passwords, bind to localhost, and delete default test databases.
- [SSH Service Hardening](https://awesome-repositories.com/f/security-cryptography/security/infrastructure-and-hardware/infrastructure-system-hardening/linux-security-hardening/ssh-service-hardening.md) — Disable remote root login, enforce key-based authentication, restrict encryption ciphers, and apply security baselines to secure shell daemon configuration. ([source](http://dev-sec.io/baselines/postgres))
- [Web Server Hardening](https://awesome-repositories.com/f/security-cryptography/security/infrastructure-and-hardware/infrastructure-system-hardening/web-server-hardening.md) — Hardening web servers like Nginx by disabling server tokens, restricting cipher suites, and limiting attack surface.
- [SSH Hardening Playbooks](https://awesome-repositories.com/f/security-cryptography/server-hardening/ssh-hardening-playbooks.md) — Ansible roles that enforce key-based authentication, disable root login, and restrict cipher suites on SSH servers.
- [SSH Security Configurations](https://awesome-repositories.com/f/security-cryptography/server-hardening/ssh-security-configurations.md) — Configuring OpenSSH with key-only authentication, disabled root login, and strong ciphers to secure remote access.

### DevOps & Infrastructure

- [Cross-Distribution Role Support](https://awesome-repositories.com/f/devops-infrastructure/configuration-management/declarative-configuration-frameworks/ansible-modules/cross-distribution-role-support.md) — Tests and validates role execution across multiple Linux families (Debian, Red Hat, etc.) using distribution-specific conditionals and package managers.
- [Role-Based Configuration Modularization](https://awesome-repositories.com/f/devops-infrastructure/role-based-configuration-modularization.md) — Organises security configurations into reusable Ansible roles, each targeting a specific system component like SSH, nginx, or MySQL.
- [Compliance Baseline Mappings](https://awesome-repositories.com/f/devops-infrastructure/security-automation-workflows/security-assessment-frameworks/customizable-security-checks/hardening-baseline-checks/cis-baseline-implementations/compliance-baseline-mappings.md) — Aligns hardening tasks with established security standards such as CIS benchmarks by grouping controls into role-specific conditional logic.

### Web Development

- [Nginx Security Hardening](https://awesome-repositories.com/f/web-development/web-infrastructure-deployment/web-infrastructure-servers/web-server-hosting/nginx-security-hardening.md) — Automated configuration to disable server tokens, limit SSL protocols, and set secure headers for Nginx deployments.