Drop CentOS/Rocky 8 from CIS security hardening

These OS versions are no longer supported.

Author: markgoddard

doc/source/configuration/security-hardening.rst

@@ -12,7 +12,6 @@ improvement over an unhardened system. A typical score would be 70%.
 
 The following operating systems are supported:
 
-- Rocky 8, RHEL 8, CentOS Stream 8
 - Ubuntu 22.04
 - Rocky 9
 
@@ -26,23 +25,12 @@ instance, you may want different rules on a network node compared to a
 controller. It is best to consult the upstream role documentation for details
 about what each variable does. The documentation can be found here:
 
-- `Rocky 8, RHEL 8, CentOS Stream 8 <https://github.com/ansible-lockdown/RHEL8-CIS/tree/1.3.0>`__
 - `Ubuntu 22.04 <https://github.com/ansible-lockdown/UBUNTU22-CIS>`__
 - `Rocky 9 <https://github.com/ansible-lockdown/RHEL9-CIS>`__
 
 Running the playbooks
 ---------------------
 
-.. note:
-
-  On CentOS 8, you must run with `INJECT_FACT_AS_VARS <https://docs.ansible.com/ansible/latest/reference_appendices/config.html#inject-facts-as-vars>`__
-  enabled. To do this for this playbook only, you can use:
-
-  .. code-block: shell
-
-    ANSIBLE_INJECT_FACT_VARS=true kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cis.yml
-
-
 As there is potential for unintended side effects when applying the hardening
 playbooks, the playbooks are not currently enabled by default. It is recommended
 that they are first applied to a representative staging environment to determine

etc/kayobe/ansible/cis.yml

@@ -10,19 +10,6 @@
         state: present
       when: ansible_facts.distribution == 'Ubuntu'
 
-    - name: Remove /etc/motd
-      # See remediation in:
-      # https://github.com/wazuh/wazuh/blob/bfa4efcf11e288c0a8809dc0b45fdce42fab8e0d/ruleset/sca/centos/8/cis_centos8_linux.yml#L777
-      file:
-        path: /etc/motd
-        state: absent
-      when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8'
-
-    - include_role:
-        name: ansible-lockdown.rhel8_cis
-      when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8'
-      tags: always
-
     - include_role:
         name: ansible-lockdown.rhel9_cis
       when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9'

etc/kayobe/ansible/requirements.yml

@@ -12,9 +12,6 @@ collections:
     version: 2.4.0
 roles:
   - src: stackhpc.vxlan
-  - name: ansible-lockdown.rhel8_cis
-    src: https://github.com/ansible-lockdown/RHEL8-CIS
-    version: 1.3.0
   - name: ansible-lockdown.ubuntu22_cis
     src: https://github.com/stackhpc/UBUNTU22-CIS
     #FIXME: Waiting for https://github.com/ansible-lockdown/UBUNTU22-CIS/pull/174

etc/kayobe/inventory/group_vars/overcloud/cis

@@ -5,32 +5,6 @@
 # Enable collecting auditd logs
 update_audit_template: true
 
-##############################################################################
-# RHEL 8 / Centos Stream 8 CIS Hardening Configuration
-
-# NOTE: kayobe configures NTP. Do not clobber configuration.
-rhel8cis_time_synchronization: skip
-rhel8cis_rule_2_2_1_1: false
-rhel8cis_rule_2_2_1_2: false
-
-# NOTE: disable CIS rolefirewall configuration
-rhel8cis_firewall: skip
-rhel8cis_rule_3_4_1_1: false
-
-# NOTE: kayobe does not currently support selinux
-rhel8cis_selinux_disable: true
-
-# NOTE: This updates the system. Let's do this explicitly.
-rhel8cis_rule_1_9: false
-
-# NOTE: FUTURE breaks wazuh agent repo metadata download
-rhel8cis_crypto_policy: FIPS
-
-# NOTE: We will remove /etc/motd instead. This prevents a duplicate warning
-# from being displayed.
-rhel8cis_rule_1_8_1_1: false
-rhel8cis_rule_1_8_1_4: false
-
 ##############################################################################
 # Rocky 9 CIS Hardening Configuration