Skip to content

[Feature]: Add Infra Hardening Standards in the project #73

Description

@chefgs

Infrastructure hardening in the devops_os project

Context

devops_os (at /Users/gsaravanan/gsdev/devops_os) is a CLI scaffold generator with this pattern:

  • devopsos scaffold gha --options → generates GitHub Actions YAML
  • devopsos scaffold sre --options → generates Prometheus rules, Grafana dashboards, SLO manifests
  • devopsos scaffold argocd --options → generates ArgoCD application manifests
  • devopsos scaffold k8s --options → generates Kubernetes YAML (kubectl/kustomize/argocd/flux)

Key files:

  • cli/devopsos.py — Typer app with scaffold_app sub-app; each scaffold is registered as a sub-command
  • cli/scaffold_gha.py, scaffold_sre.py, scaffold_argocd.py etc — generator modules
  • kubernetes/k8s-config-generator.py — K8s YAML generator (standalone, not yet wired into Typer)
  • kubernetes/kubernetes-templates/ — argocd/, flux/, kustomize/ subdirs with YAML templates

Pattern for adding a new scaffold:

  1. Create cli/scaffold_hardening.py with argparse/Typer CLI + file generation logic
  2. Create hardening/templates/ with template files
  3. Register in cli/devopsos.py as scaffold_app.add_typer(hardening_app, name="hardening")
  4. Add docs to docs/
  5. Add tests to tests/

What to document

Write docs/devops-os-hardening-sprint.md with the following sections:

1. Sprint Goal

One paragraph — what devopsos scaffold hardening delivers and why it belongs in devops_os (not GovPilot).

2. Hardening Standards Covered

Table of standards to implement:

Standard Target Tool Files generated
CIS Kubernetes Benchmark v1.9 Kubernetes cluster Kyverno YAML policies kyverno-cis-k8s.yaml
CIS Docker Benchmark v1.6 Container runtime InSpec profile inspec/docker-cis/
CIS RHEL 9 Benchmark OS (RHEL/Rocky/AlmaLinux) InSpec profile inspec/rhel9-cis/
CIS Ubuntu 22.04 Benchmark OS (Ubuntu) InSpec profile inspec/ubuntu22-cis/
DISA STIG for Kubernetes Kubernetes cluster Kyverno YAML policies kyverno-stig-k8s.yaml
NSA/CISA Kubernetes Hardening Guide Kubernetes cluster Kyverno + NetworkPolicy kyverno-nsa-k8s.yaml
Pod Security Standards (Kubernetes) Pod admission Kyverno ClusterPolicy kyverno-pod-security.yaml
Container Image Signing CI/CD + admission Kyverno + Cosign policy kyverno-image-signing.yaml
OWASP ASVS L1 (infra layer only) Application deployment Kyverno + Checkov asvs-l1-checks/
Essential Eight (Australia ASD) General controls InSpec + Checkov essential-eight/

3. CLI Design

Show the full devopsos scaffold hardening CLI interface:

# Generate CIS Kubernetes hardening policies
devopsos scaffold hardening --standard cis-k8s --output hardening/

# Generate DISA STIG Kubernetes policies
devopsos scaffold hardening --standard stig-k8s --output hardening/

# Generate OS hardening InSpec profile for RHEL 9
devopsos scaffold hardening --standard cis-rhel9 --type inspec --output hardening/

# Generate all Kyverno policies for a production cluster
devopsos scaffold hardening --standard all --type kyverno --output hardening/

# Generate with compliance mapping (links back to GovPilot gap register)
devopsos scaffold hardening --standard cis-k8s --compliance-framework pci-dss --output hardening/

Options:

  • --standard — which hardening standard (cis-k8s, stig-k8s, nsa-k8s, cis-docker, cis-rhel9, cis-ubuntu22, pod-security, image-signing, essential-eight, all)
  • --type — output type: kyverno, inspec, checkov, all (default: all applicable)
  • --output — output directory (default: ./hardening/)
  • --compliance-framework — optional: tag outputs with compliance framework IDs (pci-dss, hipaa, iso27001, rbi, etc.) for GovPilot catalog linking
  • --severity — filter by minimum severity level (critical, high, medium, low)
  • --environment — target environment profile: dev, staging, production (adjusts enforcement levels)

4. File Structure Generated

Show what devopsos scaffold hardening --standard all --output hardening/ generates:

hardening/
├── kyverno/
│   ├── cis-k8s/
│   │   ├── 1-master-node-config.yaml       — CIS 1.x master node API server settings
│   │   ├── 2-etcd-config.yaml              — CIS 2.x etcd security
│   │   ├── 3-control-plane-config.yaml     — CIS 3.x control plane settings
│   │   ├── 4-worker-node-config.yaml       — CIS 4.x kubelet settings
│   │   └── 5-policies.yaml                 — CIS 5.x policies (RBAC, secrets, networking)
│   ├── stig-k8s/
│   │   └── stig-cluster-policies.yaml      — DISA STIG rules for K8s
│   ├── nsa-k8s/
│   │   ├── pod-security.yaml               — NSA pod hardening
│   │   └── network-policies.yaml           — NSA network segmentation
│   ├── pod-security-standards.yaml         — Baseline/Restricted PSS enforcement
│   └── image-signing.yaml                  — Cosign image signature verification
├── inspec/
│   ├── docker-cis/
│   │   ├── inspec.yml                      — profile metadata
│   │   └── controls/
│   │       ├── 1_host_configuration.rb     — CIS 1.x host config checks
│   │       ├── 2_docker_daemon.rb          — CIS 2.x daemon config
│   │       ├── 3_docker_daemon_files.rb    — CIS 3.x file permissions
│   │       ├── 4_container_images.rb       — CIS 4.x image checks
│   │       └── 5_container_runtime.rb      — CIS 5.x runtime config
│   ├── rhel9-cis/
│   │   ├── inspec.yml
│   │   └── controls/
│   │       ├── 1_filesystem.rb             — CIS 1.x filesystem config
│   │       ├── 2_services.rb               — CIS 2.x inetd, special services
│   │       ├── 3_network.rb                — CIS 3.x network params
│   │       ├── 4_logging.rb                — CIS 4.x logging and auditing
│   │       └── 5_access.rb                 — CIS 5.x access, auth, sudo
│   └── ubuntu22-cis/
│       ├── inspec.yml
│       └── controls/ (same structure)
├── essential-eight/
│   ├── README.md                           — maturity levels and applicability
│   └── checkov/
│       └── essential-eight-checks.py      — Checkov custom checks for E8
└── compliance-mapping.yaml                — maps each hardening rule → compliance control IDs
                                             (used by GovPilot check catalog)

5. Implementation Plan

Break into 4 implementation tasks with file paths and what each touches:

Task 1 — CLI scaffold module (cli/scaffold_hardening.py)

  • Typer sub-app with all options
  • Calls template generators per standard
  • Registers in cli/devopsos.py
  • ~200 lines

Task 2 — Kyverno policy templates (hardening/templates/kyverno/)

  • YAML templates for each standard (CIS K8s, STIG, NSA, pod security, image signing)
  • Parameterized with Jinja2 or string.Template for environment/severity customization
  • Each policy has annotations with compliance control IDs for GovPilot catalog linking

Task 3 — InSpec profile templates (hardening/templates/inspec/)

  • Skeleton InSpec profiles for Docker CIS, RHEL9 CIS, Ubuntu 22 CIS
  • Each control references CIS benchmark section and compliance framework control IDs
  • inspec.yml with profile metadata, controls/*.rb with test cases

Task 4 — Compliance mapping file (hardening/templates/compliance-mapping.yaml)

  • YAML file linking each hardening rule to compliance framework control IDs
  • Format: rule_id → [framework_control_ids]
  • Consumed by GovPilot check_selector.py to link hardening checks into the catalog

7. Testing Plan

  • Unit tests for each scaffold generator (tests/test_hardening_scaffold.py)
  • Validate generated Kyverno YAML with kubectl apply --dry-run
  • Validate InSpec profiles with inspec check <profile-dir>
  • Verify compliance-mapping.yaml links resolve to valid check catalog entries

8. Effort Estimate

Table: task → estimated days → who (devops-os team or cel-agents team)


Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions