Adds Ubuntu Jammy & Rocky 9 CIS benchmark hardening playbooks (#685)

* Adds Ubuntu Jammy CIS benchmark hardening playbooks

Co-authored-by: "Dawud <[email protected]>"

* Use fork of role to support inject_facts_as_vars=False

* Add support for Rocky 9 CIS hardening

Co-authored-by: Michał Nasiadka <[email protected]>

* Whitespace fix

* Whitespace fix

* Matt's code review

Co-authored-by: Matt Crees <[email protected]>

* Add rhel9 auditd configuration

* Move auditd config to new location

* ...

* Update cis

* Apply suggestions from code review

Co-authored-by: Alex-Welsh <[email protected]>
Co-authored-by: Mark Goddard <[email protected]>
Co-authored-by: Matt Crees <[email protected]>

* Apply suggestions from code review

* Apply suggestions from code review

* Rename section

* Fix indentation

* Apply suggestions from code review

* Remove instructions to enable inject_facts_as_vars

---------

Co-authored-by: Michał Nasiadka <[email protected]>
Co-authored-by: Matt Crees <[email protected]>
Co-authored-by: Alex-Welsh <[email protected]>
Co-authored-by: Mark Goddard <[email protected]>

Author: 5 people

doc/source/configuration/index.rst

@@ -18,3 +18,4 @@ the various features provided.
    wazuh
    vault
    magnum-capi
+   security-hardening

doc/source/configuration/security-hardening.rst

@@ -0,0 +1,44 @@
+==================
+Security Hardening
+==================
+
+CIS Benchmark Hardening
+-----------------------
+
+The roles from the `Ansible-Lockdown <https://github.com/ansible-lockdown>`_
+project are used to harden hosts in accordance with the CIS benchmark criteria.
+It won't get your benchmark score to 100%, but should provide a significant
+improvement over an unhardened system. A typical score would be 70%.
+
+The following operating systems are supported:
+
+- Rocky 8, RHEL 8, CentOS Stream 8
+- Ubuntu 22.04
+- Rocky 9
+
+Configuration
+--------------
+
+Some overrides to the role defaults are provided in
+``$KAYOBE_CONFIG_PATH/inventory/group_vars/overcloud/cis``. These may not be
+suitable for all deployments and so some fine tuning may be required. For
+instance, you may want different rules on a network node compared to a
+controller. It is best to consult the upstream role documentation for details
+about what each variable does. The documentation can be found here:
+
+- `Rocky 8, RHEL 8, CentOS Stream 8 <https://github.com/ansible-lockdown/RHEL8-CIS/tree/1.3.0>`__
+- `Ubuntu 22.04 <https://github.com/ansible-lockdown/UBUNTU22-CIS>`__
+- `Rocky 9 <https://github.com/ansible-lockdown/RHEL9-CIS>`__
+
+Running the playbooks
+---------------------
+
+As there is potential for unintended side effects when applying the hardening
+playbooks, the playbooks are not currently enabled by default. It is recommended
+that they are first applied to a representative staging environment to determine
+whether or not workloads or API requests are affected by any configuration changes.
+
+.. code-block:: console
+
+    kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cis.yml
+

etc/kayobe/ansible/cis.yml

@@ -4,12 +4,31 @@
   hosts: overcloud
   become: true
   tasks:
+    - name: Ensure the cron package is installed on ubuntu
+      package:
+        name: cron
+        state: present
+      when: ansible_facts.distribution == 'Ubuntu'
+
     - name: Remove /etc/motd
       # See remediation in:
       # https://github.com/wazuh/wazuh/blob/bfa4efcf11e288c0a8809dc0b45fdce42fab8e0d/ruleset/sca/centos/8/cis_centos8_linux.yml#L777
       file:
         path: /etc/motd
         state: absent
+      when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8'
 
     - include_role:
         name: ansible-lockdown.rhel8_cis
+      when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8'
+      tags: always
+
+    - include_role:
+        name: ansible-lockdown.rhel9_cis
+      when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9'
+      tags: always
+
+    - include_role:
+        name: ansible-lockdown.ubuntu22_cis
+      when: ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version == '22'
+      tags: always

etc/kayobe/ansible/requirements.yml

@@ -15,6 +15,16 @@ roles:
   - name: ansible-lockdown.rhel8_cis
     src: https://github.com/ansible-lockdown/RHEL8-CIS
     version: 1.3.0
+  - name: ansible-lockdown.ubuntu22_cis
+    src: https://github.com/ansible-lockdown//UBUNTU22-CIS
+    #FIXME: Waiting for https://github.com/ansible-lockdown/UBUNTU22-CIS/pull/132
+    # to be in a tagged release
+    version: c91a1038fd218f727075d21b2d0880751322b162
+  - name: ansible-lockdown.rhel9_cis
+    src: https://github.com/ansible-lockdown/RHEL9-CIS
+    #FIXME: Waiting for https://github.com/ansible-lockdown/RHEL9-CIS/pull/54
+    # to be in a tagged release.
+    version: 3525cb6aab12a3d1e34aa8432ed77dd76be6a44a
   - name: wazuh-ansible
     src: https://github.com/stackhpc/wazuh-ansible
     version: stackhpc

etc/kayobe/inventory/group_vars/overcloud/cis

@@ -1,4 +1,12 @@
 ---
+##############################################################################
+# Common CIS Hardening Configuration
+
+# Enable collecting auditd logs
+update_audit_template: true
+
+##############################################################################
+# RHEL 8 / Centos Stream 8 CIS Hardening Configuration
 
 # NOTE: kayobe configures NTP. Do not clobber configuration.
 rhel8cis_time_synchronization: skip
@@ -22,3 +30,121 @@ rhel8cis_crypto_policy: FIPS
 # from being displayed.
 rhel8cis_rule_1_8_1_1: false
 rhel8cis_rule_1_8_1_4: false
+
+##############################################################################
+# Rocky 9 CIS Hardening Configuration
+
+# Allow IP forwarding
+rhel9cis_is_router: true
+
+# Skip configuration of chrony
+rhel9cis_rule_2_1_1: false
+rhel9cis_rule_2_1_2: false
+
+# Skip configuration of the firewall
+rhel9cis_firewall: None
+rhel9cis_rule_3_4_1_2: false
+
+# Don't configure selinux
+rhel9cis_selinux_disable: true
+
+# NOTE: FUTURE breaks wazuh agent repo metadata download
+rhel9cis_crypto_policy: FIPS
+
+# Skip package updates
+rhel9cis_rule_1_9: false
+
+# Disable requirement for password when using sudo
+rhel9cis_rule_5_3_4: false
+
+# Disable check for root password being set, we should be locking root passwords instead.
+# Please double-check yourself with: sudo passwd -S root
+rhel9cis_rule_5_6_6: false
+
+# Configure log rotation to prevent audit logs from filling the disk
+rhel9cis_auditd:
+  space_left_action: syslog
+  action_mail_acct: root
+  admin_space_left_action: halt
+  max_log_file_action: rotate
+
+# Max size of audit logs (MB)
+rhel9cis_max_log_file_size: 1024
+
+##############################################################################
+# Ubuntu Jammy CIS Hardening Configuration
+
+# Ubuntu 22 CIS configuration
+# Disable changing routing rules
+ubtu22cis_is_router: true
+
+# Set Chrony as the time sync tool
+ubtu22cis_time_sync_tool: "chrony"
+
+# Disable CIS from configuring the firewall
+ubtu22cis_firewall_package: "none"
+
+# Stop CIS from installing Network Manager
+ubtu22cis_install_network_manager: false
+
+# Set syslog service to journald
+ubtu22cis_syslog_service: journald
+
+# Squashfs is compiled into the kernel
+ubtu22cis_rule_1_1_1_2: false
+
+# This updates the system. Let's do this explicitly.
+ubtu22cis_rule_1_9: false
+
+# Do not change Chrony Time servers
+ubtu22cis_rule_2_1_2_1: false
+
+# Disable CIS from touching sudoers
+ubtu22cis_rule_5_3_4: false
+
+# Add stack and kolla to allowed ssh users
+ubtu22cis_sshd:
+  log_level: "INFO"
+  max_auth_tries: 4
+  ciphers: "[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr"
+  macs: "[email protected],[email protected],hmac-sha2-512,hmac-sha2-256"
+  kex_algorithms: "curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
+  client_alive_interval: 300
+  client_alive_count_max: 3
+  login_grace_time: 60
+  max_sessions: 10
+  allow_users: "kolla stack ubuntu"
+  allow_groups: "kolla stack ubuntu"
+  # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
+  # for users whose user name matches one of the patterns. This is done
+  # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
+  # If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
+  # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+  # For more info, see https://linux.die.net/man/5/sshd_config
+  deny_users: ""
+  # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
+  # for users whose primary group or supplementary group list matches one of the patterns. This is done
+  # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
+  # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+  # For more info, see https://linux.die.net/man/5/sshd_config
+  deny_groups: ""
+
+# Do not change /var/lib/docker permissions
+ubtu22cis_no_group_adjust: false
+ubtu22cis_no_owner_adjust: false
+
+# Configure log rotation to prevent audit logs from filling the disk
+ubtu22cis_auditd:
+  action_mail_acct: root
+  space_left_action: syslog
+  admin_space_left_action: halt
+  max_log_file_action: rotate
+
+# Max size of audit logs (MB)
+ubtu22cis_max_log_file_size: 1024
+
+# Disable grub bootloader password. Requires overriding
+# ubtu22cis_bootloader_password_hash
+ubtu22cis_rule_1_4_1: false
+ubtu22cis_rule_1_4_3: false
+##############################################################################

releasenotes/notes/adds-cis-hardening-for-ubuntu-jammy-d9bf23a34c08f5be.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Adds support for Ubuntu Jammy and Rocky 9 to the CIS benchmark hardening playbook:
+    ``cis.yml``. This playbook will need to be manually applied.