ilia
3415340e26
All checks were successful
CI / skip-ci-check (pull_request) Successful in 1m18s
CI / lint-and-test (pull_request) Successful in 1m21s
CI / ansible-validation (pull_request) Successful in 2m43s
CI / secret-scanning (pull_request) Successful in 1m19s
CI / dependency-scan (pull_request) Successful in 1m23s
CI / sast-scan (pull_request) Successful in 2m28s
CI / license-check (pull_request) Successful in 1m20s
CI / vault-check (pull_request) Successful in 2m21s
CI / playbook-test (pull_request) Successful in 2m19s
CI / container-scan (pull_request) Successful in 1m48s
CI / sonar-analysis (pull_request) Successful in 1m26s
CI / workflow-summary (pull_request) Successful in 1m17s
32 lines
682 B
Markdown
32 lines
682 B
Markdown
# Security hardening guide
|
||
|
||
This repo’s “security” work is primarily implemented via roles and inventory defaults.
|
||
|
||
## What runs where
|
||
|
||
- **SSH hardening + firewall**: `roles/ssh/`
|
||
- **Baseline packages/security utilities**: `roles/base/`
|
||
- **Monitoring + intrusion prevention (servers)**: `roles/monitoring_server/` (includes `fail2ban`)
|
||
- **Secrets**: Ansible Vault in `inventories/production/group_vars/all/vault.yml`
|
||
|
||
## Recommended flow
|
||
|
||
```bash
|
||
# Dry-run first
|
||
make check
|
||
|
||
# Apply only security-tagged roles
|
||
make security
|
||
```
|
||
|
||
## Secrets / Vault
|
||
|
||
Use vault for anything sensitive:
|
||
|
||
- Guide: `docs/guides/vault.md`
|
||
|
||
## Canonical standards
|
||
|
||
- `project-docs/standards.md`
|
||
|