Applying CIS Hardening for Linux Servers Using Ansible Automation

Introduction

As organizations continue to scale their digital infrastructure, security has become a top priority—especially for large enterprises and regulated industries such as healthcare, finance, and government. Linux remains one of the most widely used operating systems for server workloads, and applying security hardening is essential to protect mission-critical systems from vulnerabilities, misconfigurations, and attacks.

The Center for Internet Security (CIS) provides one of the most widely adopted security benchmarks for securing Linux environments. However, manually applying CIS hardening across dozens or hundreds of servers is error-prone, time-consuming, and difficult to maintain.

This is where Ansible automation plays a transformational role. Ansible enables engineers to apply CIS controls consistently, repeatedly, and at scale—delivering strong security while reducing administrative burden.

In this article, we’ll explore how to apply CIS hardening to Linux servers using Ansible automation, along with key concepts, examples, and best practices.

⸻

Why CIS Hardening Matters

CIS benchmarks provide a standardized, vendor-neutral set of security recommendations covering:
• User authentication and password policies
• File system permissions
• Logging and auditing
• Network configuration
• Kernel parameters
• Service management
• SSH configuration
• Firewall rules
• Privilege management
• Patch compliance

Following CIS improves:

✔ System security
✔ Compliance readiness
✔ Protection against misconfigurations
✔ Risk reduction for critical workloads
✔ Repeatable and auditable security processes

When combined with automation tools like Ansible, CIS hardening becomes faster, scalable, and highly reliable.

⸻

Why Use Ansible for CIS Hardening?

Ansible is ideal for CIS security automation because:

1. Agentless Architecture

No agents are installed on Linux servers—only SSH access is required.

1. Idempotency

Running the hardening playbook multiple times produces consistent and predictable results.

1. YAML-Based Playbooks

Easy to read, understand, review, and audit.

1. Easy Integration

Works seamlessly with CI/CD, Git, monitoring, and CMDBs.

1. Scalability

One command can apply CIS hardening to hundreds of servers.

⸻

CIS Benchmarks Commonly Implemented with Ansible

Typical CIS recommendations for Linux systems include:

✔ Password and Authentication Requirements
• Enforce strong password length
• Configure password aging
• Lockout policies
• Disable empty or duplicate UIDs
• Enforce multi-factor authentication (optional)

✔ SSH Hardening
• Disable root login
• Restrict protocol versions
• Limit authentication methods
• Configure idle timeouts

✔ System Logging & Auditing
• Enable auditd
• Configure logrotate
• Log permission requirements
• Kernel auditing rules

✔ File System Security
• Restrict /tmp, /var/tmp, /dev/shm
• Configure nodev, nosuid, noexec
• Set secure permissions on system files

✔ Network Configuration
• Disable unused network services
• Configure firewall defaults
• Set secure sysctl settings

✔ Kernel Parameter Hardening
• Prevent IP forwarding
• Disable ICMP redirects
• Enable TCP syncookies
• Apply secure sysctl options

✔ Service Management
• Remove or disable unnecessary services
• Secure cron jobs
• Restrict system daemons

⸻

Implementing CIS Hardening with Ansible

There are two main approaches:

⸻

Approach 1 — Use the Official Ansible CIS Roles (Recommended)

The community-maintained role dev-sec/ansible-collection-hardening is widely used for CIS-aligned hardening.

Example installation:

ansible-galaxy collection install devsec.hardening

Apply Linux hardening with:

• hosts: linux_servers become: yes roles:
  • devsec.hardening.os_hardening

⸻

Approach 2 — Build Your Own Custom CIS Hardening Playbook

This allows personalization based on your environment and compliance requirements.

Example: SSH Hardening

• name: Harden SSH configuration for CIS compliance lineinfile: path: /etc/ssh/sshd_config regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: present with_items:
  • { regexp: "^PermitRootLogin", line: "PermitRootLogin no" }
  • { regexp: "^Protocol", line: "Protocol 2" }
  • { regexp: "^MaxAuthTries", line: "MaxAuthTries 3" }
  • { regexp: "^LoginGraceTime", line: "LoginGraceTime 30" }
  • { regexp: "^ClientAliveInterval", line: "ClientAliveInterval 300" }

Example: Password Complexity

• name: Set password complexity parameters replace: path: /etc/security/pwquality.conf regexp: "{{ item.regexp }}" replace: "{{ item.line }}" with_items:
  • { regexp: '^minlen.*', line: 'minlen = 12' }
  • { regexp: '^dcredit.*', line: 'dcredit = -1' }
  • { regexp: '^ucredit.*', line: 'ucredit = -1' }
  • { regexp: '^lcredit.*', line: 'lcredit = -1' }
  • { regexp: '^ocredit.*', line: 'ocredit = -1' }

Example: Kernel Hardening (Sysctl)

• name: Apply CIS kernel parameters sysctl: name: "{{ item.name }}" value: "{{ item.value }}" state: present reload: yes with_items:
  • { name: 'net.ipv4.conf.all.accept_redirects', value: 0 }
  • { name: 'net.ipv4.conf.all.send_redirects', value: 0 }
  • { name: 'net.ipv4.tcp_syncookies', value: 1 }
  • { name: 'net.ipv4.conf.default.rp_filter', value: 1 }

⸻

Validating CIS Hardening

Validation is essential to ensure the playbooks are effective and compliant.

1. Use OpenSCAP

Scan the system:

oscap xccdf eval --profile cis --results results.xml /usr/share/openscap/scap-yaml

1. Use Lynis

Run:

lynis audit system

1. Test in a non-production environment

Always evaluate changes before rolling out at scale.

⸻

Benefits of Using Ansible for CIS Hardening

✔ Consistency

All servers follow the same hardened configurations.

✔ Compliance

CIS-aligned playbooks support HIPAA, PCI-DSS, NIST, and SOC 2 audits.

✔ Scalability

Apply hardening to hundreds of servers with a single command.

✔ Time Savings

Reduce manual work from hours to minutes.

✔ Reproducibility

Any new server automatically receives hardening via automation.

✔ Documentation

Ansible playbooks serve as living documentation of security controls.

⸻

Best Practices
• Maintain a separate Git repository for CIS roles.
• Test changes in lower environments.
• Use Ansible Vault to secure sensitive variables.
• Tag tasks (tags: cis_level1, tags: cis_level2).
• Generate automated hardening reports.
• Integrate CIS playbooks into CI/CD pipelines.
• Schedule periodic re-hardening via automation.

⸻
Conclusion

CIS hardening is one of the most effective steps to protect Linux servers from misconfigurations and security threats. With Ansible automation, organizations gain the ability to apply these controls at scale, consistently and reliably. Automation not only strengthens compliance readiness but also ensures repeatable and documented security operations.

For Linux engineers, mastering CIS hardening with Ansible significantly enhances security posture while demonstrating strong infrastructure engineering and automation skills—valuable in enterprise, cloud, and highly regulated environments such as healthcare, finance and banking.