From d040e091941fff4d231dbbc60bb95feaa28f339f Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Wed, 4 Oct 2023 17:19:19 +0100 Subject: [PATCH 01/17] Adds Ubuntu Jammy CIS benchmark hardening playbooks Co-authored-by: "Dawud " --- doc/source/configuration/index.rst | 1 + doc/source/configuration/security.rst | 49 +++++++++++ etc/kayobe/ansible/cis.yml | 14 ++++ etc/kayobe/ansible/requirements.yml | 3 + etc/kayobe/inventory/group_vars/overcloud/cis | 81 +++++++++++++++++++ ...ing-for-ubuntu-jammy-d9bf23a34c08f5be.yaml | 5 ++ 6 files changed, 153 insertions(+) create mode 100644 doc/source/configuration/security.rst create mode 100644 releasenotes/notes/adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml diff --git a/doc/source/configuration/index.rst b/doc/source/configuration/index.rst index f19775700..e3f38ae65 100644 --- a/doc/source/configuration/index.rst +++ b/doc/source/configuration/index.rst @@ -18,3 +18,4 @@ the various features provided. wazuh vault magnum-capi + security diff --git a/doc/source/configuration/security.rst b/doc/source/configuration/security.rst new file mode 100644 index 000000000..d95b66222 --- /dev/null +++ b/doc/source/configuration/security.rst @@ -0,0 +1,49 @@ +================== +Security Hardening +================== + +CIS Benchmark Hardening +----------------------- + +The roles from the `Ansible-Lockdown `_ +project are used to harden hosts in accordance with the CIS benchmark criteria. +It won't get your benchmark score to 100%, but should provide a significant +improvement over an unhardened system. The following operating systems are +supported: + +- Rocky 8, RHEL 8, CentOS Stream 8 +- Ubuntu 22.04 + + +Configuration +-------------- + +Some overrides to the role defaults are provided in +``$KAYOBE_CONFIG_PATH/inventory/group_vars/overcloud/cis``. These may not be +suitable for all deployments and so some fine tuning may be required. For +instance, you may want different rules on a network node compared to a +controller. It is best to consult the upstream role documentation for details +about what each variable does. The documentation can be found here: + +- `Rocky 8, RHEL 8, CentOS Stream 8 `__ +- `Ubuntu 22.04 `__ + + +Running the playbooks +--------------------- + +As there is potential for unintended side effects when applying the hardening +playbooks, the playbooks are not currently enabled by default. It is recommended +that they are first applied to a representative staging environment to determine +whether or not workloads or API requests are affected by any configuration changes. + +The upstream roles do not currently support using +`INJECT_FACTS_AS_VARS=False ` +so you must enable this feature to be able to run the playbooks. This an be done on +an adhoc basis using the environment variable. An example of how of to do that is +shown below: + +.. code-block:: console + + ANSIBLE_INJECT_FACT_VARS=True kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cis.yml + diff --git a/etc/kayobe/ansible/cis.yml b/etc/kayobe/ansible/cis.yml index ce6445359..8be133415 100644 --- a/etc/kayobe/ansible/cis.yml +++ b/etc/kayobe/ansible/cis.yml @@ -4,12 +4,26 @@ hosts: overcloud become: true tasks: + - name: Ensure the cron package is installed on ubuntu + package: + name: cron + state: present + when: ansible_facts.distribution == 'Ubuntu' + - name: Remove /etc/motd # See remediation in: # https://github.com/wazuh/wazuh/blob/bfa4efcf11e288c0a8809dc0b45fdce42fab8e0d/ruleset/sca/centos/8/cis_centos8_linux.yml#L777 file: path: /etc/motd state: absent + when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8' - include_role: name: ansible-lockdown.rhel8_cis + when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8' + tags: always + + - include_role: + name: ansible-lockdown.ubuntu22_cis + when: ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version == '22' + tags: always diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index e54069d90..97d51dd37 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -11,6 +11,9 @@ roles: - name: ansible-lockdown.rhel8_cis src: https://github.com/ansible-lockdown/RHEL8-CIS version: 1.3.0 + - name: ansible-lockdown.ubuntu22_cis + src: https://github.com/ansible-lockdown/UBUNTU22-CIS + version: 1.2.0 - name: wazuh-ansible src: https://github.com/stackhpc/wazuh-ansible version: stackhpc diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index 81fb151e8..53927c839 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -1,4 +1,6 @@ --- +############################################################################## +# RHEL 8 / Centos Stream 8 CIS Hardening Configuration # NOTE: kayobe configures NTP. Do not clobber configuration. rhel8cis_time_synchronization: skip @@ -22,3 +24,82 @@ rhel8cis_crypto_policy: FIPS # from being displayed. rhel8cis_rule_1_8_1_1: false rhel8cis_rule_1_8_1_4: false + +############################################################################## +# Ubuntu Jammy CIS Hardening Configuration + +# Ubuntu 22 CIS configuration +# Disable changing routing rules +ubtu22cis_is_router: true + +# Set Chrony as the time sync tool +ubtu22cis_time_sync_tool: "chrony" + +# Disable CIS from configuring the firewall +ubtu22cis_firewall_package: "none" + +# Stop CIS from installing Network Manager +ubtu22cis_install_network_manager: false + +# Set syslog service to journald +ubtu22cis_syslog_service: journald + +# Squashfs is compiled into the kernel +ubtu22cis_rule_1_1_1_2: false + +# This updates the system. Let's do this explicitly. +ubtu22cis_rule_1_9: false + +# Do not change Chrony Time servers +ubtu22cis_rule_2_1_2_1: false + +# Disable CIS from touching sudoers +ubtu22cis_rule_5_3_4: false + +# Add stack and kolla to allowed ssh users +ubtu22cis_sshd: + log_level: "INFO" + max_auth_tries: 4 + ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" + macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256" + kex_algorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256" + client_alive_interval: 300 + client_alive_count_max: 3 + login_grace_time: 60 + max_sessions: 10 + allow_users: "kolla stack ubuntu" + allow_groups: "kolla stack ubuntu" + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access + # for users whose user name matches one of the patterns. This is done + # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_users: "" + # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_groups: "" + +# Do not change /var/lib/docker permissions +ubtu22cis_no_group_adjust: false +ubtu22cis_no_owner_adjust: false + +# Enable collecting auditd logs +update_audit_template: true + +# Configure log rotation to prevent audit logs from filling the disk +ubtu22cis_auditd: + action_mail_acct: root + space_left_action: syslog + admin_space_left_action: halt + max_log_file_action: rotate + +# Disable grub bootloader password. Requires overriding +# ubtu22cis_bootloader_password_hash +ubtu22cis_rule_1_4_1: false +ubtu22cis_rule_1_4_3: false + +############################################################################## diff --git a/releasenotes/notes/adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml b/releasenotes/notes/adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml new file mode 100644 index 000000000..298f73e8a --- /dev/null +++ b/releasenotes/notes/adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Adds support for Ubuntu Jammy to the CIS benchmark hardening playbook: + ``cis.yml``. This playbook will need to be manually applied. From df6a35706568f428422880187113fb828950f8fa Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 6 Oct 2023 16:33:05 +0000 Subject: [PATCH 02/17] Use fork of role to support inject_facts_as_vars=False --- doc/source/configuration/security.rst | 2 +- etc/kayobe/ansible/requirements.yml | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/doc/source/configuration/security.rst b/doc/source/configuration/security.rst index d95b66222..b366d2ced 100644 --- a/doc/source/configuration/security.rst +++ b/doc/source/configuration/security.rst @@ -45,5 +45,5 @@ shown below: .. code-block:: console - ANSIBLE_INJECT_FACT_VARS=True kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cis.yml + kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cis.yml diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index 97d51dd37..3562eaae6 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -12,8 +12,9 @@ roles: src: https://github.com/ansible-lockdown/RHEL8-CIS version: 1.3.0 - name: ansible-lockdown.ubuntu22_cis - src: https://github.com/ansible-lockdown/UBUNTU22-CIS - version: 1.2.0 + src: https://github.com/stackhpc/UBUNTU22-CIS + #FIXME: https://github.com/ansible-lockdown/UBUNTU22-CIS/pull/132 + version: feature/inject_facts_as_vars - name: wazuh-ansible src: https://github.com/stackhpc/wazuh-ansible version: stackhpc From cdb48491b934909a7c3d6961de7f23465adaa69c Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 6 Oct 2023 16:54:48 +0000 Subject: [PATCH 03/17] Add support for Rocky 9 CIS hardening MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: MichaƂ Nasiadka --- etc/kayobe/ansible/cis.yml | 5 ++++ etc/kayobe/ansible/requirements.yml | 8 +++++- etc/kayobe/inventory/group_vars/overcloud/cis | 26 +++++++++++++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) diff --git a/etc/kayobe/ansible/cis.yml b/etc/kayobe/ansible/cis.yml index 8be133415..ffb31c2fe 100644 --- a/etc/kayobe/ansible/cis.yml +++ b/etc/kayobe/ansible/cis.yml @@ -23,6 +23,11 @@ when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8' tags: always + - include_role: + name: ansible-lockdown.rhel9_cis + when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9' + tags: always + - include_role: name: ansible-lockdown.ubuntu22_cis when: ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version == '22' diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index 3562eaae6..eccbaf8eb 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -13,8 +13,14 @@ roles: version: 1.3.0 - name: ansible-lockdown.ubuntu22_cis src: https://github.com/stackhpc/UBUNTU22-CIS - #FIXME: https://github.com/ansible-lockdown/UBUNTU22-CIS/pull/132 + #FIXME: Waiting for https://github.com/ansible-lockdown/UBUNTU22-CIS/pull/132 + # to be in a tagged release version: feature/inject_facts_as_vars + - name: ansible-lockdown.rhel9_cis + src: https://github.com/ansible-lockdown/RHEL9-CIS + #FIXME: Waiting for https://github.com/ansible-lockdown/RHEL9-CIS/pull/54 + # to be in a tagged release. + version: 3525cb6aab12a3d1e34aa8432ed77dd76be6a44a - name: wazuh-ansible src: https://github.com/stackhpc/wazuh-ansible version: stackhpc diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index 53927c839..b1bce8282 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -25,6 +25,32 @@ rhel8cis_crypto_policy: FIPS rhel8cis_rule_1_8_1_1: false rhel8cis_rule_1_8_1_4: false +############################################################################## +# Rocky 9 CIS Hardening Configuration + +# Allow IP forwarding +rhel9cis_is_router: true + +# Skip configuration of chrony +rhel9cis_rule_2_1_1: false +rhel9cis_rule_2_1_2: false + +# Skip configuration of the firewall +rhel9cis_firewall: None +rhel9cis_rule_3_4_1_2: false + +# Don't configure selinux +rhel9cis_selinux_disable: true + +# NOTE: FUTURE breaks wazuh agent repo metadata download +rhel9cis_crypto_policy: FIPS + +# Skip package updates +rhel9cis_rule_1_9: false + +# Disable requirement for password when using sudo +rhel9cis_rule_5_3_4: false + ############################################################################## # Ubuntu Jammy CIS Hardening Configuration From b5d984c187e5d0477e6ebd0012db1ece6c8cc280 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 6 Oct 2023 18:03:30 +0100 Subject: [PATCH 04/17] Whitespace fix --- doc/source/configuration/security.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/source/configuration/security.rst b/doc/source/configuration/security.rst index b366d2ced..c85ea5ec2 100644 --- a/doc/source/configuration/security.rst +++ b/doc/source/configuration/security.rst @@ -14,7 +14,6 @@ supported: - Rocky 8, RHEL 8, CentOS Stream 8 - Ubuntu 22.04 - Configuration -------------- From 986874b708891b24d1e1213bcb86980f48cc0de4 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 6 Oct 2023 18:03:55 +0100 Subject: [PATCH 05/17] Whitespace fix --- doc/source/configuration/security.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/source/configuration/security.rst b/doc/source/configuration/security.rst index c85ea5ec2..04b03d19f 100644 --- a/doc/source/configuration/security.rst +++ b/doc/source/configuration/security.rst @@ -27,7 +27,6 @@ about what each variable does. The documentation can be found here: - `Rocky 8, RHEL 8, CentOS Stream 8 `__ - `Ubuntu 22.04 `__ - Running the playbooks --------------------- From 8f8ff8cd36b269884ccdcc31b4b5f69519381366 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Wed, 18 Oct 2023 17:40:18 +0100 Subject: [PATCH 06/17] Matt's code review Co-authored-by: Matt Crees --- etc/kayobe/inventory/group_vars/overcloud/cis | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index b1bce8282..4fc7627bc 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -51,6 +51,10 @@ rhel9cis_rule_1_9: false # Disable requirement for password when using sudo rhel9cis_rule_5_3_4: false +# Disable check for root password being set, we should be locking root passwords instead. +# Please double-check yourself with: sudo paswd -S root +rhel9cis_rule_5_5_6: false + ############################################################################## # Ubuntu Jammy CIS Hardening Configuration From ed8796815873773d82cdb8a00716dc28435f5b9c Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Wed, 18 Oct 2023 17:47:46 +0100 Subject: [PATCH 07/17] Add rhel9 auditd configuration --- etc/kayobe/inventory/group_vars/overcloud/cis | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index 4fc7627bc..3525b4384 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -2,6 +2,12 @@ ############################################################################## # RHEL 8 / Centos Stream 8 CIS Hardening Configuration +rhel9cis_auditd: + space_left_action: syslog + action_mail_acct: root + admin_space_left_action: halt + max_log_file_action: rotate + # NOTE: kayobe configures NTP. Do not clobber configuration. rhel8cis_time_synchronization: skip rhel8cis_rule_2_2_1_1: false From d46c3602e47a77584202f62069e5ef9b96e01ef7 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Wed, 18 Oct 2023 17:48:49 +0100 Subject: [PATCH 08/17] Move auditd config to new location --- etc/kayobe/inventory/group_vars/overcloud/cis | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index 3525b4384..63f605d8f 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -2,12 +2,6 @@ ############################################################################## # RHEL 8 / Centos Stream 8 CIS Hardening Configuration -rhel9cis_auditd: - space_left_action: syslog - action_mail_acct: root - admin_space_left_action: halt - max_log_file_action: rotate - # NOTE: kayobe configures NTP. Do not clobber configuration. rhel8cis_time_synchronization: skip rhel8cis_rule_2_2_1_1: false @@ -61,6 +55,12 @@ rhel9cis_rule_5_3_4: false # Please double-check yourself with: sudo paswd -S root rhel9cis_rule_5_5_6: false +rhel9cis_auditd: + space_left_action: syslog + action_mail_acct: root + admin_space_left_action: halt + max_log_file_action: rotate + ############################################################################## # Ubuntu Jammy CIS Hardening Configuration From b54bfd2155eb24076cbc4a758d12d1d093c6204e Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Wed, 18 Oct 2023 17:51:52 +0100 Subject: [PATCH 09/17] ... --- etc/kayobe/inventory/group_vars/overcloud/cis | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index 63f605d8f..c456c0be1 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -55,12 +55,16 @@ rhel9cis_rule_5_3_4: false # Please double-check yourself with: sudo paswd -S root rhel9cis_rule_5_5_6: false +# Configure log rotation to prevent audit logs from filling the disk rhel9cis_auditd: space_left_action: syslog action_mail_acct: root admin_space_left_action: halt max_log_file_action: rotate +# Max size of audit logs (MB) +rhel9cis_max_log_file_size: 1024 + ############################################################################## # Ubuntu Jammy CIS Hardening Configuration @@ -133,6 +137,9 @@ ubtu22cis_auditd: admin_space_left_action: halt max_log_file_action: rotate +# Max size of audit logs (MB) +ubtu22cis_max_log_file_size: 1024 + # Disable grub bootloader password. Requires overriding # ubtu22cis_bootloader_password_hash ubtu22cis_rule_1_4_1: false From 4e4cf55cffb2447c37d5c3b8419ae52c77625cb2 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Wed, 18 Oct 2023 17:54:22 +0100 Subject: [PATCH 10/17] Update cis --- etc/kayobe/inventory/group_vars/overcloud/cis | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index c456c0be1..22e2bf087 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -1,4 +1,10 @@ --- +############################################################################## +# Common CIS Hardening Configuration + +# Enable collecting auditd logs +update_audit_template: true + ############################################################################## # RHEL 8 / Centos Stream 8 CIS Hardening Configuration @@ -127,9 +133,6 @@ ubtu22cis_sshd: ubtu22cis_no_group_adjust: false ubtu22cis_no_owner_adjust: false -# Enable collecting auditd logs -update_audit_template: true - # Configure log rotation to prevent audit logs from filling the disk ubtu22cis_auditd: action_mail_acct: root From 08206c678908e0b032f94fb4b065069f6a4e5eb2 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 13 Nov 2023 17:36:04 +0000 Subject: [PATCH 11/17] Apply suggestions from code review Co-authored-by: Alex-Welsh <112560678+Alex-Welsh@users.noreply.github.com> Co-authored-by: Mark Goddard Co-authored-by: Matt Crees --- doc/source/configuration/security.rst | 5 ++++- etc/kayobe/inventory/group_vars/overcloud/cis | 4 ++-- ...adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/doc/source/configuration/security.rst b/doc/source/configuration/security.rst index 04b03d19f..06274057c 100644 --- a/doc/source/configuration/security.rst +++ b/doc/source/configuration/security.rst @@ -8,11 +8,13 @@ CIS Benchmark Hardening The roles from the `Ansible-Lockdown `_ project are used to harden hosts in accordance with the CIS benchmark criteria. It won't get your benchmark score to 100%, but should provide a significant -improvement over an unhardened system. The following operating systems are +improvement over an unhardened system. A typical score would be x% + The following operating systems are... supported: - Rocky 8, RHEL 8, CentOS Stream 8 - Ubuntu 22.04 +- Rocky 9 Configuration -------------- @@ -26,6 +28,7 @@ about what each variable does. The documentation can be found here: - `Rocky 8, RHEL 8, CentOS Stream 8 `__ - `Ubuntu 22.04 `__ +- `Rocky 9 `__ Running the playbooks --------------------- diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index 22e2bf087..e82b99160 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -58,8 +58,8 @@ rhel9cis_rule_1_9: false rhel9cis_rule_5_3_4: false # Disable check for root password being set, we should be locking root passwords instead. -# Please double-check yourself with: sudo paswd -S root -rhel9cis_rule_5_5_6: false +# Please double-check yourself with: sudo passwd -S root +rhel9cis_rule_5_6_6: false # Configure log rotation to prevent audit logs from filling the disk rhel9cis_auditd: diff --git a/releasenotes/notes/adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml b/releasenotes/notes/adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml index 298f73e8a..66de6e0e8 100644 --- a/releasenotes/notes/adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml +++ b/releasenotes/notes/adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml @@ -1,5 +1,5 @@ --- features: - | - Adds support for Ubuntu Jammy to the CIS benchmark hardening playbook: + Adds support for Ubuntu Jammy and Rocky 9 to the CIS benchmark hardening playbook: ``cis.yml``. This playbook will need to be manually applied. From 86a9f6fe7596c303f69f91f610d8b2fead62cddb Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 13 Nov 2023 17:39:17 +0000 Subject: [PATCH 12/17] Apply suggestions from code review --- doc/source/configuration/security.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/configuration/security.rst b/doc/source/configuration/security.rst index 06274057c..7b16ac556 100644 --- a/doc/source/configuration/security.rst +++ b/doc/source/configuration/security.rst @@ -46,5 +46,5 @@ shown below: .. code-block:: console - kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cis.yml + INJECT_FACTS_AS_VARS=False kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cis.yml From 4d6ad57a589efe346a4fadda362b1d5934acf4d0 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 13 Nov 2023 17:39:27 +0000 Subject: [PATCH 13/17] Apply suggestions from code review --- etc/kayobe/ansible/requirements.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index eccbaf8eb..1a26c1007 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -12,10 +12,10 @@ roles: src: https://github.com/ansible-lockdown/RHEL8-CIS version: 1.3.0 - name: ansible-lockdown.ubuntu22_cis - src: https://github.com/stackhpc/UBUNTU22-CIS + src: https://github.com/ansible-lockdown//UBUNTU22-CIS #FIXME: Waiting for https://github.com/ansible-lockdown/UBUNTU22-CIS/pull/132 # to be in a tagged release - version: feature/inject_facts_as_vars + version: c91a1038fd218f727075d21b2d0880751322b162 - name: ansible-lockdown.rhel9_cis src: https://github.com/ansible-lockdown/RHEL9-CIS #FIXME: Waiting for https://github.com/ansible-lockdown/RHEL9-CIS/pull/54 From 864ec3a237e2429b0fd94d3f901d6743db20fb5d Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 13 Nov 2023 17:40:52 +0000 Subject: [PATCH 14/17] Rename section --- doc/source/configuration/index.rst | 2 +- .../configuration/{security.rst => security-hardening.rst} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename doc/source/configuration/{security.rst => security-hardening.rst} (100%) diff --git a/doc/source/configuration/index.rst b/doc/source/configuration/index.rst index e3f38ae65..8c283481d 100644 --- a/doc/source/configuration/index.rst +++ b/doc/source/configuration/index.rst @@ -18,4 +18,4 @@ the various features provided. wazuh vault magnum-capi - security + security-hardening diff --git a/doc/source/configuration/security.rst b/doc/source/configuration/security-hardening.rst similarity index 100% rename from doc/source/configuration/security.rst rename to doc/source/configuration/security-hardening.rst From c4279ffe94cc3930557cb8e88ce4880ce0dfc0a4 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 13 Nov 2023 17:45:30 +0000 Subject: [PATCH 15/17] Fix indentation --- etc/kayobe/inventory/group_vars/overcloud/cis | 65 +++++++++---------- 1 file changed, 32 insertions(+), 33 deletions(-) diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index e82b99160..519aeab8b 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -63,10 +63,10 @@ rhel9cis_rule_5_6_6: false # Configure log rotation to prevent audit logs from filling the disk rhel9cis_auditd: - space_left_action: syslog - action_mail_acct: root - admin_space_left_action: halt - max_log_file_action: rotate + space_left_action: syslog + action_mail_acct: root + admin_space_left_action: halt + max_log_file_action: rotate # Max size of audit logs (MB) rhel9cis_max_log_file_size: 1024 @@ -104,30 +104,30 @@ ubtu22cis_rule_5_3_4: false # Add stack and kolla to allowed ssh users ubtu22cis_sshd: - log_level: "INFO" - max_auth_tries: 4 - ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" - macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256" - kex_algorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256" - client_alive_interval: 300 - client_alive_count_max: 3 - login_grace_time: 60 - max_sessions: 10 - allow_users: "kolla stack ubuntu" - allow_groups: "kolla stack ubuntu" - # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access - # for users whose user name matches one of the patterns. This is done - # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. - # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config - deny_users: "" - # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access - # for users whose primary group or supplementary group list matches one of the patterns. This is done - # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config - deny_groups: "" + log_level: "INFO" + max_auth_tries: 4 + ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" + macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256" + kex_algorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256" + client_alive_interval: 300 + client_alive_count_max: 3 + login_grace_time: 60 + max_sessions: 10 + allow_users: "kolla stack ubuntu" + allow_groups: "kolla stack ubuntu" + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access + # for users whose user name matches one of the patterns. This is done + # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_users: "" + # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_groups: "" # Do not change /var/lib/docker permissions ubtu22cis_no_group_adjust: false @@ -135,10 +135,10 @@ ubtu22cis_no_owner_adjust: false # Configure log rotation to prevent audit logs from filling the disk ubtu22cis_auditd: - action_mail_acct: root - space_left_action: syslog - admin_space_left_action: halt - max_log_file_action: rotate + action_mail_acct: root + space_left_action: syslog + admin_space_left_action: halt + max_log_file_action: rotate # Max size of audit logs (MB) ubtu22cis_max_log_file_size: 1024 @@ -147,5 +147,4 @@ ubtu22cis_max_log_file_size: 1024 # ubtu22cis_bootloader_password_hash ubtu22cis_rule_1_4_1: false ubtu22cis_rule_1_4_3: false - ############################################################################## From c2be0e570d5e3829f9b5b1b3d0415937afef09c1 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 13 Nov 2023 17:47:51 +0000 Subject: [PATCH 16/17] Apply suggestions from code review --- doc/source/configuration/security-hardening.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/configuration/security-hardening.rst b/doc/source/configuration/security-hardening.rst index 7b16ac556..b01c18a0b 100644 --- a/doc/source/configuration/security-hardening.rst +++ b/doc/source/configuration/security-hardening.rst @@ -8,7 +8,7 @@ CIS Benchmark Hardening The roles from the `Ansible-Lockdown `_ project are used to harden hosts in accordance with the CIS benchmark criteria. It won't get your benchmark score to 100%, but should provide a significant -improvement over an unhardened system. A typical score would be x% +improvement over an unhardened system. A typical score would be 70% The following operating systems are... supported: From 65742ba0a696308d3b9c4ff9432bc9ba20e45764 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 13 Nov 2023 17:54:40 +0000 Subject: [PATCH 17/17] Remove instructions to enable inject_facts_as_vars --- doc/source/configuration/security-hardening.rst | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/doc/source/configuration/security-hardening.rst b/doc/source/configuration/security-hardening.rst index b01c18a0b..2d7c6a6fd 100644 --- a/doc/source/configuration/security-hardening.rst +++ b/doc/source/configuration/security-hardening.rst @@ -8,9 +8,9 @@ CIS Benchmark Hardening The roles from the `Ansible-Lockdown `_ project are used to harden hosts in accordance with the CIS benchmark criteria. It won't get your benchmark score to 100%, but should provide a significant -improvement over an unhardened system. A typical score would be 70% - The following operating systems are... -supported: +improvement over an unhardened system. A typical score would be 70%. + +The following operating systems are supported: - Rocky 8, RHEL 8, CentOS Stream 8 - Ubuntu 22.04 @@ -38,13 +38,7 @@ playbooks, the playbooks are not currently enabled by default. It is recommended that they are first applied to a representative staging environment to determine whether or not workloads or API requests are affected by any configuration changes. -The upstream roles do not currently support using -`INJECT_FACTS_AS_VARS=False ` -so you must enable this feature to be able to run the playbooks. This an be done on -an adhoc basis using the environment variable. An example of how of to do that is -shown below: - .. code-block:: console - INJECT_FACTS_AS_VARS=False kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cis.yml + kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cis.yml