ansible-os-hardening
Configuration ManagementAn Ansible collection providing battle‑tested security hardening playbooks for Linux OSes, MySQL, Nginx and OpenSSH.
Features
- Hardens Linux distributions (CentOS, AlmaLinux, Rocky Linux, Debian, Ubuntu, Amazon Linux, Arch Linux, Fedora, SUSE Tumbleweed)
- Secures MySQL/MariaDB installations according to DevSec baselines
- Applies Nginx configuration hardening for versions 1.0.16+
- Configures OpenSSH with recommended security settings (OpenSSH 5.3+)
Recent releases
View all 4 releases →
10.5.2
Bug fix
Fixed bug where apt cache was unnecessarily updated when installing libpam-passwdqc.
Full changelog
Changelog
10.5.2 (2026-03-28)
Fixed bugs:
- do not update apt cache when installing libpam-passwdqc #939 [os_hardening] (eikesauer)
Merged pull requests:
- chore(deps): update hugo19941994/delete-draft-releases action to v3 #940 (renovate[bot])
- chore(deps): pin dependencies #938 (renovate[bot])
- chore(deps): update actions/checkout digest to de0fac2 #932 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
10.5.1
Bug fix
Fixed flaky SSH failures on Ubuntu 24.04 and newer by disabling sshd socket activation.
Full changelog
Changelog
10.5.1 (2026-03-20)
Fixed bugs:
- fix flaky failures on Ubuntu 24.04 and newer by disabling sshd socket activation first #931 [ssh_hardening] (kuglimon)
Closed issues:
- SSH issue after running devsec.hardening.ssh_hardening role #854
Merged pull requests:
- chore(deps): update juliangruber/read-file-action digest to 271ff31 #937 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 8ba9595 #934 (renovate[bot])
- chore(deps): update artis3n/ansible_galaxy_collection action to v3 #933 (renovate[bot])
- Improve VM based testing of SSH hardening #878 [ssh_hardening] (schurzi)
10.5.0
Breaking risk
⚠ Upgrade required
- Disable systemd audit logging by default – can be re‑enabled via configuration if needed
- Consistently access Ansible facts using the ansible_facts.* namespace
Notable features
- Replaced deprecated community.general.yaml callback plugin with an alternative
Full changelog
Changelog
10.5.0 (2026-01-22)
Implemented enhancements:
- fix: replace deprecated community.general.yaml callback plugin #918 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (Normo)
- Consistently access facts via the ansible_facts.* namespace #917 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (Normo)
- disable systemd audit logging #902 [os_hardening] (z-bsod)
Fixed bugs:
- /etc/sysctl.conf is no longer honored in Debian 13 #905
Merged pull requests:
- chore(deps): update dependency jmespath to v1.1.0 #930 (renovate[bot])
- chore(deps): update actions/setup-python digest to a309ff8 #929 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update ansible/ansible-lint action to v26 #928 (renovate[bot])
- chore(deps): update artis3n/ansible_galaxy_collection digest to 415a92b - autoclosed #927 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to a2bc8b8 #924 (renovate[bot])
- chore(deps): update actions/setup-python digest to 83679a8 #920 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update actions/checkout action to v6 #919 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update dependency molecule to v25.12.0 #914 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 40f24c2 #913 (renovate[bot])
- Update test environments to current Ansible version #909 [mysql_hardening] (schurzi)
- chore(deps): update ansible/ansible-lint digest to d7cd7cf #903 (renovate[bot])
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Install & Platforms
Platforms
linux
