Adds Ubuntu Jammy & Rocky 9 CIS benchmark hardening playbooks

doc/source/configuration/index.rst

@@ -18,3 +18,4 @@ the various features provided.
    wazuh
    vault
    magnum-capi
+   security

doc/source/configuration/security.rst

@@ -0,0 +1,47 @@
+==================
+Security Hardening
+==================
+
+CIS Benchmark Hardening
+-----------------------
+
+The roles from the `Ansible-Lockdown <https://github.com/ansible-lockdown>`_
+project are used to harden hosts in accordance with the CIS benchmark criteria.
+It won't get your benchmark score to 100%, but should provide a significant
+improvement over an unhardened system. The following operating systems are
+supported:
+
+- Rocky 8, RHEL 8, CentOS Stream 8
+- Ubuntu 22.04
+
+Configuration
+--------------
+
+Some overrides to the role defaults are provided in
+``$KAYOBE_CONFIG_PATH/inventory/group_vars/overcloud/cis``. These may not be
+suitable for all deployments and so some fine tuning may be required. For
+instance, you may want different rules on a network node compared to a
+controller. It is best to consult the upstream role documentation for details
+about what each variable does. The documentation can be found here:
+
+- `Rocky 8, RHEL 8, CentOS Stream 8 <https://github.com/ansible-lockdown/RHEL8-CIS/tree/1.3.0>`__
+- `Ubuntu 22.04 <https://github.com/ansible-lockdown/UBUNTU22-CIS>`__
+
+Running the playbooks
+---------------------
+
+As there is potential for unintended side effects when applying the hardening
+playbooks, the playbooks are not currently enabled by default. It is recommended
+that they are first applied to a representative staging environment to determine
+whether or not workloads or API requests are affected by any configuration changes.
+
+The upstream roles do not currently support using
+`INJECT_FACTS_AS_VARS=False <https://docs.ansible.com/ansible/latest/reference_appendices/config.html#inject-facts-as-vars>`
+so you must enable this feature to be able to run the playbooks. This an be done on
+an adhoc basis using the environment variable. An example of how of to do that is
+shown below:
+
+.. code-block:: console
+
+    kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cis.yml
+

etc/kayobe/ansible/cis.yml

@@ -4,12 +4,31 @@
   hosts: overcloud
   become: true
   tasks:
+    - name: Ensure the cron package is installed on ubuntu
+      package:
+        name: cron
+        state: present
+      when: ansible_facts.distribution == 'Ubuntu'
+
     - name: Remove /etc/motd
       # See remediation in:
       # https://github.com/wazuh/wazuh/blob/bfa4efcf11e288c0a8809dc0b45fdce42fab8e0d/ruleset/sca/centos/8/cis_centos8_linux.yml#L777
       file:
         path: /etc/motd
         state: absent
+      when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8'
 
     - include_role:
         name: ansible-lockdown.rhel8_cis
+      when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8'
+      tags: always
+
+    - include_role:
+        name: ansible-lockdown.rhel9_cis
+      when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9'
+      tags: always
+
+    - include_role:
+        name: ansible-lockdown.ubuntu22_cis
+      when: ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version == '22'
+      tags: always

etc/kayobe/ansible/requirements.yml

@@ -11,6 +11,16 @@ roles:
   - name: ansible-lockdown.rhel8_cis
     src: https://github.com/ansible-lockdown/RHEL8-CIS
     version: 1.3.0
+  - name: ansible-lockdown.ubuntu22_cis
+    src: https://github.com/stackhpc/UBUNTU22-CIS
+    #FIXME: Waiting for https://github.com/ansible-lockdown/UBUNTU22-CIS/pull/132
+    # to be in a tagged release
+    version: feature/inject_facts_as_vars
+  - name: ansible-lockdown.rhel9_cis
+    src: https://github.com/ansible-lockdown/RHEL9-CIS
+    #FIXME: Waiting for https://github.com/ansible-lockdown/RHEL9-CIS/pull/54
+    # to be in a tagged release.
+    version: 3525cb6aab12a3d1e34aa8432ed77dd76be6a44a
   - name: wazuh-ansible
     src: https://github.com/stackhpc/wazuh-ansible
     version: stackhpc

etc/kayobe/inventory/group_vars/overcloud/cis

@@ -1,4 +1,12 @@
 ---
+##############################################################################
+# Common CIS Hardening Configuration
+
+# Enable collecting auditd logs
+update_audit_template: true
+
+##############################################################################
+# RHEL 8 / Centos Stream 8 CIS Hardening Configuration
 
 # NOTE: kayobe configures NTP. Do not clobber configuration.
 rhel8cis_time_synchronization: skip
@@ -22,3 +30,122 @@ rhel8cis_crypto_policy: FIPS
 # from being displayed.
 rhel8cis_rule_1_8_1_1: false
 rhel8cis_rule_1_8_1_4: false
+
+##############################################################################
+# Rocky 9 CIS Hardening Configuration
+
+# Allow IP forwarding
+rhel9cis_is_router: true
+
+# Skip configuration of chrony
+rhel9cis_rule_2_1_1: false
+rhel9cis_rule_2_1_2: false
+
+# Skip configuration of the firewall
+rhel9cis_firewall: None
+rhel9cis_rule_3_4_1_2: false
+
+# Don't configure selinux
+rhel9cis_selinux_disable: true
+
+# NOTE: FUTURE breaks wazuh agent repo metadata download
+rhel9cis_crypto_policy: FIPS
+
+# Skip package updates
+rhel9cis_rule_1_9: false
+
+# Disable requirement for password when using sudo
+rhel9cis_rule_5_3_4: false
+
+# Disable check for root password being set, we should be locking root passwords instead.
+# Please double-check yourself with: sudo paswd -S root
+rhel9cis_rule_5_5_6: false
+
+# Configure log rotation to prevent audit logs from filling the disk
+rhel9cis_auditd:
+    space_left_action: syslog
+    action_mail_acct: root
+    admin_space_left_action: halt
+    max_log_file_action: rotate
+
+# Max size of audit logs (MB)
+rhel9cis_max_log_file_size: 1024
+
+##############################################################################
+# Ubuntu Jammy CIS Hardening Configuration
+
+# Ubuntu 22 CIS configuration
+# Disable changing routing rules
+ubtu22cis_is_router: true
+
+# Set Chrony as the time sync tool
+ubtu22cis_time_sync_tool: "chrony"
+
+# Disable CIS from configuring the firewall
+ubtu22cis_firewall_package: "none"
+
+# Stop CIS from installing Network Manager
+ubtu22cis_install_network_manager: false
+
+# Set syslog service to journald
+ubtu22cis_syslog_service: journald
+
+# Squashfs is compiled into the kernel
+ubtu22cis_rule_1_1_1_2: false
+
+# This updates the system. Let's do this explicitly.
+ubtu22cis_rule_1_9: false
+
+# Do not change Chrony Time servers
+ubtu22cis_rule_2_1_2_1: false
+
+# Disable CIS from touching sudoers
+ubtu22cis_rule_5_3_4: false
+
+# Add stack and kolla to allowed ssh users
+ubtu22cis_sshd:
+    log_level: "INFO"
+    max_auth_tries: 4
+    ciphers: "[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr"
+    macs: "[email protected],[email protected],hmac-sha2-512,hmac-sha2-256"
+    kex_algorithms: "curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
+    client_alive_interval: 300
+    client_alive_count_max: 3
+    login_grace_time: 60
+    max_sessions: 10
+    allow_users: "kolla stack ubuntu"
+    allow_groups: "kolla stack ubuntu"
+    # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
+    # for users whose user name matches one of the patterns. This is done
+    # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
+    # If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
+    # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+    # For more info, see https://linux.die.net/man/5/sshd_config
+    deny_users: ""
+    # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
+    # for users whose primary group or supplementary group list matches one of the patterns. This is done
+    # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
+    # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+    # For more info, see https://linux.die.net/man/5/sshd_config
+    deny_groups: ""
+
+# Do not change /var/lib/docker permissions
+ubtu22cis_no_group_adjust: false
+ubtu22cis_no_owner_adjust: false
+
+# Configure log rotation to prevent audit logs from filling the disk
+ubtu22cis_auditd:
+    action_mail_acct: root
+    space_left_action: syslog
+    admin_space_left_action: halt
+    max_log_file_action: rotate
+
+# Max size of audit logs (MB)
+ubtu22cis_max_log_file_size: 1024
+
+# Disable grub bootloader password. Requires overriding
+# ubtu22cis_bootloader_password_hash
+ubtu22cis_rule_1_4_1: false
+ubtu22cis_rule_1_4_3: false
+
+##############################################################################

releasenotes/notes/adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Adds support for Ubuntu Jammy to the CIS benchmark hardening playbook:
+    ``cis.yml``. This playbook will need to be manually applied.