search

konstruktoid / ansible-role-hardening

Ansible role to apply a security baseline. Systemd edition.
Apache License 2.0
536 stars 113 forks source link

First time user feedback on the README. #774

Open qurm opened 1 week ago

qurm commented 1 week ago

Describe the bug As a first time user of this ansible role, I had a couple of issues that I was able to work through, but would have been easier if covered in the readme documentation. Can I suggest some updates to the readme for these points?

  1. I had a similar issue to this one.
    https://github.com/konstruktoid/ansible-role-hardening/issues/326 I was unable to connect over ssh - this message in sshd log: .. because none of user's groups are listed in AllowGroups My ansible user had sudo permissions, was in AllowUsers, was in /etc/sudoers, but not in the sudo group, so I was initially locked out of the server. It is not clear what the purpose of thesugroup group is - should an ansible or admin user be in that group also?

  2. When setting up a new server, when is the best stage to run the hardening role? Should I setup the server applications before hardening? I found at minor issue when installing an application, and was unclear if this was due to the hardening. A brief summary of the purpose of the changes in defaults/main/packagemgmt.yml would have been helpful.

Expected behavior Just an easier experience for those new to hardening via Ansible.

System (lsb_release -a or similar): Distributor ID: Ubuntu Description: Ubuntu 24.04.1 LTS Release: 24.04 Codename: noble

Additional context Thanks for this invaluable and well-maintained role, and I have run it many times without any errors. I am happy to draft some text for the readme to assist with this.

konstruktoid commented 1 week ago

Hi @qurm and thanks for the feedback.

  1. https://github.com/konstruktoid/ansible-role-hardening/blob/master/README.md?plain=1#L833-L837 could perhaps be rewritten to clarify how it all works.

  2. Since this role is pretty massive (and that doesn't have to be a good thing), my steps are: Install distribution -> Run hardening role -> Install application using a role that applies all necessary changes for the application to work.

Updating the readme with the the purpose of the changes in defaults/main/packagemgmt.yml would indeed be a good thing.

Thanks for the kind words and if you want to submit a PR with any updates, please do so.