From d040e091941fff4d231dbbc60bb95feaa28f339f Mon Sep 17 00:00:00 2001
From: Will Szumski <will@stackhpc.com>
Date: Wed, 4 Oct 2023 17:19:19 +0100
Subject: [PATCH] Adds Ubuntu Jammy CIS benchmark hardening playbooks

Co-authored-by: "Dawud <dawud@stackhpc.com>"
---
 doc/source/configuration/index.rst            |  1 +
 doc/source/configuration/security.rst         | 49 +++++++++++
 etc/kayobe/ansible/cis.yml                    | 14 ++++
 etc/kayobe/ansible/requirements.yml           |  3 +
 etc/kayobe/inventory/group_vars/overcloud/cis | 81 +++++++++++++++++++
 ...ing-for-ubuntu-jammy-d9bf23a34c08f5be.yaml |  5 ++
 6 files changed, 153 insertions(+)
 create mode 100644 doc/source/configuration/security.rst
 create mode 100644 releasenotes/notes/adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml

diff --git a/doc/source/configuration/index.rst b/doc/source/configuration/index.rst
index f19775700..e3f38ae65 100644
--- a/doc/source/configuration/index.rst
+++ b/doc/source/configuration/index.rst
@@ -18,3 +18,4 @@ the various features provided.
    wazuh
    vault
    magnum-capi
+   security
diff --git a/doc/source/configuration/security.rst b/doc/source/configuration/security.rst
new file mode 100644
index 000000000..d95b66222
--- /dev/null
+++ b/doc/source/configuration/security.rst
@@ -0,0 +1,49 @@
+==================
+Security Hardening
+==================
+
+CIS Benchmark Hardening
+-----------------------
+
+The roles from the `Ansible-Lockdown <https://github.com/ansible-lockdown>`_
+project are used to harden hosts in accordance with the CIS benchmark criteria.
+It won't get your benchmark score to 100%, but should provide a significant
+improvement over an unhardened system. The following operating systems are
+supported:
+
+- Rocky 8, RHEL 8, CentOS Stream 8
+- Ubuntu 22.04
+
+
+Configuration
+--------------
+
+Some overrides to the role defaults are provided in
+``$KAYOBE_CONFIG_PATH/inventory/group_vars/overcloud/cis``. These may not be
+suitable for all deployments and so some fine tuning may be required. For
+instance, you may want different rules on a network node compared to a
+controller. It is best to consult the upstream role documentation for details
+about what each variable does. The documentation can be found here:
+
+- `Rocky 8, RHEL 8, CentOS Stream 8 <https://github.com/ansible-lockdown/RHEL8-CIS/tree/1.3.0>`__
+- `Ubuntu 22.04 <https://github.com/ansible-lockdown/UBUNTU22-CIS>`__
+
+
+Running the playbooks
+---------------------
+
+As there is potential for unintended side effects when applying the hardening
+playbooks, the playbooks are not currently enabled by default. It is recommended
+that they are first applied to a representative staging environment to determine
+whether or not workloads or API requests are affected by any configuration changes.
+
+The upstream roles do not currently support using
+`INJECT_FACTS_AS_VARS=False <https://docs.ansible.com/ansible/latest/reference_appendices/config.html#inject-facts-as-vars>`
+so you must enable this feature to be able to run the playbooks. This an be done on
+an adhoc basis using the environment variable. An example of how of to do that is
+shown below:
+
+.. code-block:: console
+
+    ANSIBLE_INJECT_FACT_VARS=True kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cis.yml
+
diff --git a/etc/kayobe/ansible/cis.yml b/etc/kayobe/ansible/cis.yml
index ce6445359..8be133415 100644
--- a/etc/kayobe/ansible/cis.yml
+++ b/etc/kayobe/ansible/cis.yml
@@ -4,12 +4,26 @@
   hosts: overcloud
   become: true
   tasks:
+    - name: Ensure the cron package is installed on ubuntu
+      package:
+        name: cron
+        state: present
+      when: ansible_facts.distribution == 'Ubuntu'
+
     - name: Remove /etc/motd
       # See remediation in:
       # https://github.com/wazuh/wazuh/blob/bfa4efcf11e288c0a8809dc0b45fdce42fab8e0d/ruleset/sca/centos/8/cis_centos8_linux.yml#L777
       file:
         path: /etc/motd
         state: absent
+      when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8'
 
     - include_role:
         name: ansible-lockdown.rhel8_cis
+      when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8'
+      tags: always
+
+    - include_role:
+        name: ansible-lockdown.ubuntu22_cis
+      when: ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version == '22'
+      tags: always
diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml
index e54069d90..97d51dd37 100644
--- a/etc/kayobe/ansible/requirements.yml
+++ b/etc/kayobe/ansible/requirements.yml
@@ -11,6 +11,9 @@ roles:
   - name: ansible-lockdown.rhel8_cis
     src: https://github.com/ansible-lockdown/RHEL8-CIS
     version: 1.3.0
+  - name: ansible-lockdown.ubuntu22_cis
+    src: https://github.com/ansible-lockdown/UBUNTU22-CIS
+    version: 1.2.0
   - name: wazuh-ansible
     src: https://github.com/stackhpc/wazuh-ansible
     version: stackhpc
diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis
index 81fb151e8..53927c839 100644
--- a/etc/kayobe/inventory/group_vars/overcloud/cis
+++ b/etc/kayobe/inventory/group_vars/overcloud/cis
@@ -1,4 +1,6 @@
 ---
+##############################################################################
+# RHEL 8 / Centos Stream 8 CIS Hardening Configuration
 
 # NOTE: kayobe configures NTP. Do not clobber configuration.
 rhel8cis_time_synchronization: skip
@@ -22,3 +24,82 @@ rhel8cis_crypto_policy: FIPS
 # from being displayed.
 rhel8cis_rule_1_8_1_1: false
 rhel8cis_rule_1_8_1_4: false
+
+##############################################################################
+# Ubuntu Jammy CIS Hardening Configuration
+
+# Ubuntu 22 CIS configuration
+# Disable changing routing rules
+ubtu22cis_is_router: true
+
+# Set Chrony as the time sync tool
+ubtu22cis_time_sync_tool: "chrony"
+
+# Disable CIS from configuring the firewall
+ubtu22cis_firewall_package: "none"
+
+# Stop CIS from installing Network Manager
+ubtu22cis_install_network_manager: false
+
+# Set syslog service to journald
+ubtu22cis_syslog_service: journald
+
+# Squashfs is compiled into the kernel
+ubtu22cis_rule_1_1_1_2: false
+
+# This updates the system. Let's do this explicitly.
+ubtu22cis_rule_1_9: false
+
+# Do not change Chrony Time servers
+ubtu22cis_rule_2_1_2_1: false
+
+# Disable CIS from touching sudoers
+ubtu22cis_rule_5_3_4: false
+
+# Add stack and kolla to allowed ssh users
+ubtu22cis_sshd:
+    log_level: "INFO"
+    max_auth_tries: 4
+    ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
+    macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"
+    kex_algorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
+    client_alive_interval: 300
+    client_alive_count_max: 3
+    login_grace_time: 60
+    max_sessions: 10
+    allow_users: "kolla stack ubuntu"
+    allow_groups: "kolla stack ubuntu"
+    # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
+    # for users whose user name matches one of the patterns. This is done
+    # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
+    # If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
+    # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+    # For more info, see https://linux.die.net/man/5/sshd_config
+    deny_users: ""
+    # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
+    # for users whose primary group or supplementary group list matches one of the patterns. This is done
+    # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
+    # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+    # For more info, see https://linux.die.net/man/5/sshd_config
+    deny_groups: ""
+
+# Do not change /var/lib/docker permissions
+ubtu22cis_no_group_adjust: false
+ubtu22cis_no_owner_adjust: false
+
+# Enable collecting auditd logs
+update_audit_template: true
+
+# Configure log rotation to prevent audit logs from filling the disk
+ubtu22cis_auditd:
+    action_mail_acct: root
+    space_left_action: syslog
+    admin_space_left_action: halt
+    max_log_file_action: rotate
+
+# Disable grub bootloader password. Requires overriding
+# ubtu22cis_bootloader_password_hash
+ubtu22cis_rule_1_4_1: false
+ubtu22cis_rule_1_4_3: false
+
+##############################################################################
diff --git a/releasenotes/notes/adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml b/releasenotes/notes/adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml
new file mode 100644
index 000000000..298f73e8a
--- /dev/null
+++ b/releasenotes/notes/adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Adds support for Ubuntu Jammy to the CIS benchmark hardening playbook:
+    ``cis.yml``. This playbook will need to be manually applied.