diff --git a/doc/source/configuration/index.rst b/doc/source/configuration/index.rst index f19775700..8c283481d 100644 --- a/doc/source/configuration/index.rst +++ b/doc/source/configuration/index.rst @@ -18,3 +18,4 @@ the various features provided. wazuh vault magnum-capi + security-hardening diff --git a/doc/source/configuration/security-hardening.rst b/doc/source/configuration/security-hardening.rst new file mode 100644 index 000000000..2d7c6a6fd --- /dev/null +++ b/doc/source/configuration/security-hardening.rst @@ -0,0 +1,44 @@ +================== +Security Hardening +================== + +CIS Benchmark Hardening +----------------------- + +The roles from the `Ansible-Lockdown `_ +project are used to harden hosts in accordance with the CIS benchmark criteria. +It won't get your benchmark score to 100%, but should provide a significant +improvement over an unhardened system. A typical score would be 70%. + +The following operating systems are supported: + +- Rocky 8, RHEL 8, CentOS Stream 8 +- Ubuntu 22.04 +- Rocky 9 + +Configuration +-------------- + +Some overrides to the role defaults are provided in +``$KAYOBE_CONFIG_PATH/inventory/group_vars/overcloud/cis``. These may not be +suitable for all deployments and so some fine tuning may be required. For +instance, you may want different rules on a network node compared to a +controller. It is best to consult the upstream role documentation for details +about what each variable does. The documentation can be found here: + +- `Rocky 8, RHEL 8, CentOS Stream 8 `__ +- `Ubuntu 22.04 `__ +- `Rocky 9 `__ + +Running the playbooks +--------------------- + +As there is potential for unintended side effects when applying the hardening +playbooks, the playbooks are not currently enabled by default. It is recommended +that they are first applied to a representative staging environment to determine +whether or not workloads or API requests are affected by any configuration changes. + +.. code-block:: console + + kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cis.yml + diff --git a/etc/kayobe/ansible/cis.yml b/etc/kayobe/ansible/cis.yml index ce6445359..ffb31c2fe 100644 --- a/etc/kayobe/ansible/cis.yml +++ b/etc/kayobe/ansible/cis.yml @@ -4,12 +4,31 @@ hosts: overcloud become: true tasks: + - name: Ensure the cron package is installed on ubuntu + package: + name: cron + state: present + when: ansible_facts.distribution == 'Ubuntu' + - name: Remove /etc/motd # See remediation in: # https://github.com/wazuh/wazuh/blob/bfa4efcf11e288c0a8809dc0b45fdce42fab8e0d/ruleset/sca/centos/8/cis_centos8_linux.yml#L777 file: path: /etc/motd state: absent + when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8' - include_role: name: ansible-lockdown.rhel8_cis + when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8' + tags: always + + - include_role: + name: ansible-lockdown.rhel9_cis + when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9' + tags: always + + - include_role: + name: ansible-lockdown.ubuntu22_cis + when: ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version == '22' + tags: always diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index e54069d90..1a26c1007 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -11,6 +11,16 @@ roles: - name: ansible-lockdown.rhel8_cis src: https://github.com/ansible-lockdown/RHEL8-CIS version: 1.3.0 + - name: ansible-lockdown.ubuntu22_cis + src: https://github.com/ansible-lockdown//UBUNTU22-CIS + #FIXME: Waiting for https://github.com/ansible-lockdown/UBUNTU22-CIS/pull/132 + # to be in a tagged release + version: c91a1038fd218f727075d21b2d0880751322b162 + - name: ansible-lockdown.rhel9_cis + src: https://github.com/ansible-lockdown/RHEL9-CIS + #FIXME: Waiting for https://github.com/ansible-lockdown/RHEL9-CIS/pull/54 + # to be in a tagged release. + version: 3525cb6aab12a3d1e34aa8432ed77dd76be6a44a - name: wazuh-ansible src: https://github.com/stackhpc/wazuh-ansible version: stackhpc diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index 81fb151e8..519aeab8b 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -1,4 +1,12 @@ --- +############################################################################## +# Common CIS Hardening Configuration + +# Enable collecting auditd logs +update_audit_template: true + +############################################################################## +# RHEL 8 / Centos Stream 8 CIS Hardening Configuration # NOTE: kayobe configures NTP. Do not clobber configuration. rhel8cis_time_synchronization: skip @@ -22,3 +30,121 @@ rhel8cis_crypto_policy: FIPS # from being displayed. rhel8cis_rule_1_8_1_1: false rhel8cis_rule_1_8_1_4: false + +############################################################################## +# Rocky 9 CIS Hardening Configuration + +# Allow IP forwarding +rhel9cis_is_router: true + +# Skip configuration of chrony +rhel9cis_rule_2_1_1: false +rhel9cis_rule_2_1_2: false + +# Skip configuration of the firewall +rhel9cis_firewall: None +rhel9cis_rule_3_4_1_2: false + +# Don't configure selinux +rhel9cis_selinux_disable: true + +# NOTE: FUTURE breaks wazuh agent repo metadata download +rhel9cis_crypto_policy: FIPS + +# Skip package updates +rhel9cis_rule_1_9: false + +# Disable requirement for password when using sudo +rhel9cis_rule_5_3_4: false + +# Disable check for root password being set, we should be locking root passwords instead. +# Please double-check yourself with: sudo passwd -S root +rhel9cis_rule_5_6_6: false + +# Configure log rotation to prevent audit logs from filling the disk +rhel9cis_auditd: + space_left_action: syslog + action_mail_acct: root + admin_space_left_action: halt + max_log_file_action: rotate + +# Max size of audit logs (MB) +rhel9cis_max_log_file_size: 1024 + +############################################################################## +# Ubuntu Jammy CIS Hardening Configuration + +# Ubuntu 22 CIS configuration +# Disable changing routing rules +ubtu22cis_is_router: true + +# Set Chrony as the time sync tool +ubtu22cis_time_sync_tool: "chrony" + +# Disable CIS from configuring the firewall +ubtu22cis_firewall_package: "none" + +# Stop CIS from installing Network Manager +ubtu22cis_install_network_manager: false + +# Set syslog service to journald +ubtu22cis_syslog_service: journald + +# Squashfs is compiled into the kernel +ubtu22cis_rule_1_1_1_2: false + +# This updates the system. Let's do this explicitly. +ubtu22cis_rule_1_9: false + +# Do not change Chrony Time servers +ubtu22cis_rule_2_1_2_1: false + +# Disable CIS from touching sudoers +ubtu22cis_rule_5_3_4: false + +# Add stack and kolla to allowed ssh users +ubtu22cis_sshd: + log_level: "INFO" + max_auth_tries: 4 + ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" + macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256" + kex_algorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256" + client_alive_interval: 300 + client_alive_count_max: 3 + login_grace_time: 60 + max_sessions: 10 + allow_users: "kolla stack ubuntu" + allow_groups: "kolla stack ubuntu" + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access + # for users whose user name matches one of the patterns. This is done + # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_users: "" + # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_groups: "" + +# Do not change /var/lib/docker permissions +ubtu22cis_no_group_adjust: false +ubtu22cis_no_owner_adjust: false + +# Configure log rotation to prevent audit logs from filling the disk +ubtu22cis_auditd: + action_mail_acct: root + space_left_action: syslog + admin_space_left_action: halt + max_log_file_action: rotate + +# Max size of audit logs (MB) +ubtu22cis_max_log_file_size: 1024 + +# Disable grub bootloader password. Requires overriding +# ubtu22cis_bootloader_password_hash +ubtu22cis_rule_1_4_1: false +ubtu22cis_rule_1_4_3: false +############################################################################## diff --git a/releasenotes/notes/adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml b/releasenotes/notes/adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml new file mode 100644 index 000000000..66de6e0e8 --- /dev/null +++ b/releasenotes/notes/adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Adds support for Ubuntu Jammy and Rocky 9 to the CIS benchmark hardening playbook: + ``cis.yml``. This playbook will need to be manually applied.