Secure Fortress Linux is an automated hardening solution designed to secure Linux environments using best practices. By leveraging Ansible for configuration management and Wazuh for monitoring, it ensures robust system security while allowing continuous compliance monitoring and rootkit detection.
- Features
- Prerequisites
- Project Structure
- Installation
- Usage
- Bash Script (
linux_hardening.sh
) - Correlation Between Components
- Contributing
- License
- Automated Linux Hardening: Utilizes shell scripts to harden Linux systems.
- Wazuh Integration: Real-time monitoring and alerting with Wazuh.
- Configurable with Ansible: Scalable deployments using Ansible playbooks.
- Logging: Logs every step for easy auditing and troubleshooting.
Before you start, ensure you have the following installed:
- Ansible (version 2.9 or higher)
- Wazuh Agent (version 4.x)
- Python 3.x (for Ansible)
.
├── config
│ ├── ansible.cfg
│ └── hosts
├── logs
│ └── deployment.log
├── playbooks
│ └── playbook_hardening.yml
├── scripts
│ └── linux_hardening.sh
└── templates
└── wazuh-agent-config.j2
- config/: Ansible configuration files and inventory.
- logs/: Log files of the deployment process.
- playbooks/: Ansible playbooks for automating the hardening process.
- scripts/: The main shell script for hardening Linux systems.
- templates/: Template for Wazuh agent configuration.
-
Clone the Repository:
git clone https://github.com/elliotsecops/Secure-Fortress-Linux.git cd Secure-Fortress-Linux
-
Install Prerequisites:
- Ensure Ansible, Wazuh Agent, and Python 3.x are installed on your system.
-
Configure Ansible:
- Update the
config/hosts
file with your target server details. - Customize the
config/ansible.cfg
file if necessary.
- Update the
-
Run the Hardening Script:
ansible-playbook playbooks/playbook_hardening.yml
-
Customize Configuration:
- Modify the
templates/wazuh-agent-config.j2
file to match your Wazuh server configuration. - Adjust the
scripts/linux_hardening.sh
script to fit your specific hardening requirements.
- Modify the
-
Execute the Playbook:
ansible-playbook playbooks/playbook_hardening.yml
-
Review Logs:
- Check the
logs/deployment.log
file for detailed logs of the hardening process.
- Check the
The linux_hardening.sh
script performs various security hardening tasks on the system. Here's a breakdown of what it does:
-
System Update:
- Updates the package list and upgrades all installed packages to their latest versions.
-
Firewall Configuration:
- Configures the UFW (Uncomplicated Firewall) to block all incoming traffic by default and allow all outgoing traffic.
- Allows SSH traffic.
- Enables the UFW firewall.
-
Service Disabling:
- Disables unnecessary services such as
avahi-daemon
,cups
, andnfs-server
.
- Disables unnecessary services such as
-
Password Security:
- Enhances password security by setting minimum password length to 12 characters and requiring at least four character classes (e.g., uppercase, lowercase, digits, special characters).
-
Auditd Configuration:
- Configures
auditd
to monitor changes to critical files like/etc/passwd
,/etc/shadow
,/etc/gshadow
, and/etc/group
.
- Configures
-
File and Directory Permissions:
- Sets basic permissions on sensitive files and directories.
-
SSH Configuration:
- Disables root login via SSH.
- Disables password authentication for SSH, forcing the use of SSH keys.
- Restarts the SSH service to apply the new configuration.
The components of Secure Fortress Linux work together to ensure comprehensive system hardening and monitoring:
-
Ansible Configuration (
ansible.cfg
):- Sets up the environment and behavior for Ansible, including inventory management, remote user settings, logging, privilege escalation, and SSH connection options.
-
Bash Script (
linux_hardening.sh
):- Performs the initial hardening tasks on the system, such as updating the system, configuring the firewall, and securing SSH.
-
Wazuh Agent Configuration Template (
wazuh-agent-config.j2
):- Configures the Wazuh agent to monitor and alert on security-related events, such as rootkit detection, file integrity monitoring, and log collection.
-
Ansible Playbook (
playbook_hardening.yml
):- Orchestrates the execution of the Bash script and the configuration of the Wazuh agent. It uses the
wazuh-agent-config.j2
template to generate the Wazuh agent configuration file and applies it to the target hosts.
- Orchestrates the execution of the Bash script and the configuration of the Wazuh agent. It uses the
The linux_hardening.sh
Bash script performs the initial hardening tasks on the system, while the wazuh-agent-config.j2
template configures the Wazuh agent to monitor and alert on security-related events. The Ansible playbook (playbook_hardening.yml
) orchestrates the execution of these tasks, ensuring a seamless and automated hardening and monitoring process.
We welcome contributions! Please see our Contributing Guide for more details.
This project is licensed under the MIT License. See the LICENSE file for more details.