I looked at both the documentation of Trellis and the ansible playbooks on GitHub.
I couldn’t find the usual hardening tasks, like removal of unused filesystems, setting up pam, apparmour/selinux and so on? Am I missing something?
I have found two good hardening sources:
Are these considered overkill? Or will they be implemented in Trellis at some point? Are there any plans to include one or the other?
I don’t think anyone is against better security in Trellis. Between ferm and fail2ban there is a good amount of security in place. If you have some ideas or even implementations, Trellis is open source so issues and PR’s happen on GitHub
Thanks for you reply. In my first post I started with what I have found to be implemented in Trellis, and my question was mainly, whether I missed something.
So I found: fail2ban, ferm, ssh, ssl implementations.
But I didn’t find anything on removal of unused filesystems, or disabling single user mode, enforcing password rules, etc… so a bunch of other stuff which seems to be implemented in other hardening frameworks.
So did I miss something?
And my second major question regarding this was, whether all this extra hardening done by others is an overkill, or not?
I am not here to challenge anyone, or compare solutions, or complain. Merely to understand, and to learn. All my questions are asked with this intention.
And of course ultimately I would like to have a server setup which is as secure as possible, but is not getting to much in the way.
Depends I guess. Some companies/industries have regulations where these things are needed whether they are overkill or not.
Trellis’ goal is to be secure enough for its main usage: a WordPress server. This doesn’t mean it’s perfect or has everything. But it does mean it’s probably much better than if someone were to try and set up a LEMP/LAMP stock on their own. The security measures we put in place are also meant to be more common/known ones. Some of the other ones you mentioned aren’t as well known and may be harder to implement (not sure though?).
edit: Trellis is also meant to be a starting point and extended or customized. Trellis is really just Ansible, and there’s many good Ansible Galaxy roles available which offer these features you’re looking for (I’m assuming but it’s likely).
Thank you for the confirmation. I will start to dig through both the dev-sec and openstack playbooks and roles, and see where could we add something to Trellis.
The good part is, that they have battle tested their playbooks in a major way - Deutsche Telekom is not a small thing. Openstack isn’t either. And we just have to cherry-pick and copy-paste (I know it is probably a little too optimistic).