infra-automation

ansible/infra-automation

Fork 0

Commit Graph

Author	SHA1	Message	Date
ansible	df628983d1	Add no_log security protection to cloud-init user-data tasks Security improvement to prevent sensitive cloud-init configuration data from appearing in Ansible logs. Changes: - Add no_log: true to all cloud-init user-data template tasks - Applies to Debian/Ubuntu user-data generation - Applies to RHEL/CentOS/Rocky/Alma user-data generation - Applies to SUSE/openSUSE user-data generation Security rationale: - Cloud-init user-data contains sensitive information: * SSH keys and authorized_keys configuration * User passwords (hashed but still sensitive) * System configuration details * Network configuration - Following CLAUDE.md security guidelines - Prevents accidental exposure in CI/CD logs - Aligns with ansible-lint security best practices Impact: - No functional changes to role behavior - Enhanced security posture - Compliance with security-first principles Related to: ROLE_ANALYSIS_AND_IMPROVEMENTS.md recommendation 2.2 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-11-11 01:35:19 +01:00
Infrastructure Team	eec15a1cc2	Add deploy_linux_vm role with LVM and SSH hardening Features: - Multi-distribution support (Debian, Ubuntu, RHEL, AlmaLinux, Rocky, SUSE) - LVM configuration with meaningful volume groups and logical volumes - 8 LVs: lv_opt, lv_tmp, lv_home, lv_var, lv_var_log, lv_var_tmp, lv_var_audit, lv_swap - Security mount options on sensitive directories SSH Hardening: - GSSAPI authentication disabled - GSSAPI cleanup credentials disabled - Root login disabled via SSH - Password authentication disabled - Key-based authentication only - MaxAuthTries: 3, ClientAliveInterval: 300s Security Features: - SELinux enforcing (RHEL family) - AppArmor enabled (Debian family) - Firewall configuration (UFW/firewalld) - Automatic security updates - Audit daemon (auditd) enabled - Time synchronization (chrony) - Essential security packages (aide, auditd) Role Structure: - Modular task organization (validate, install, download, storage, deploy, lvm) - Tag-based execution for selective deployment - OS-family specific cloud-init templates - Comprehensive variable defaults (100+ configurable options) - Post-deployment validation tasks	2025-11-10 22:51:51 +01:00

Author

SHA1

Message

Date

ansible

df628983d1

Add no_log security protection to cloud-init user-data tasks

Security improvement to prevent sensitive cloud-init configuration
data from appearing in Ansible logs.

Changes:
- Add no_log: true to all cloud-init user-data template tasks
- Applies to Debian/Ubuntu user-data generation
- Applies to RHEL/CentOS/Rocky/Alma user-data generation
- Applies to SUSE/openSUSE user-data generation

Security rationale:
- Cloud-init user-data contains sensitive information:
  * SSH keys and authorized_keys configuration
  * User passwords (hashed but still sensitive)
  * System configuration details
  * Network configuration
- Following CLAUDE.md security guidelines
- Prevents accidental exposure in CI/CD logs
- Aligns with ansible-lint security best practices

Impact:
- No functional changes to role behavior
- Enhanced security posture
- Compliance with security-first principles

Related to: ROLE_ANALYSIS_AND_IMPROVEMENTS.md recommendation 2.2

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-11-11 01:35:19 +01:00

Infrastructure Team

eec15a1cc2

Add deploy_linux_vm role with LVM and SSH hardening

Features:
- Multi-distribution support (Debian, Ubuntu, RHEL, AlmaLinux, Rocky, SUSE)
- LVM configuration with meaningful volume groups and logical volumes
- 8 LVs: lv_opt, lv_tmp, lv_home, lv_var, lv_var_log, lv_var_tmp, lv_var_audit, lv_swap
- Security mount options on sensitive directories

SSH Hardening:
- GSSAPI authentication disabled
- GSSAPI cleanup credentials disabled
- Root login disabled via SSH
- Password authentication disabled
- Key-based authentication only
- MaxAuthTries: 3, ClientAliveInterval: 300s

Security Features:
- SELinux enforcing (RHEL family)
- AppArmor enabled (Debian family)
- Firewall configuration (UFW/firewalld)
- Automatic security updates
- Audit daemon (auditd) enabled
- Time synchronization (chrony)
- Essential security packages (aide, auditd)

Role Structure:
- Modular task organization (validate, install, download, storage, deploy, lvm)
- Tag-based execution for selective deployment
- OS-family specific cloud-init templates
- Comprehensive variable defaults (100+ configurable options)
- Post-deployment validation tasks

2025-11-10 22:51:51 +01:00

2 Commits