From 1c3090f2e1963dac6dfc28766d5bb63aeb457464 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 21 Jun 2024 10:48:38 +0100 Subject: [PATCH 1/8] Enable CIS benchmark hardening in AIO and Multinode Currently we do not have coverage of this feature in CI. --- doc/source/configuration/security-hardening.rst | 15 +++++++++++++++ etc/kayobe/environments/ci-aio/stackhpc.yml | 3 +++ etc/kayobe/environments/ci-multinode/stackhpc.yml | 3 +++ .../overcloud-host-configure/post.d/99-cis.yml | 4 ++++ etc/kayobe/stackhpc.yml | 6 ++++++ .../notes/adds-cis-hook-8cec8d42103d075e.yaml | 7 +++++++ 6 files changed, 38 insertions(+) create mode 100644 etc/kayobe/environments/ci-aio/stackhpc.yml create mode 100644 etc/kayobe/environments/ci-multinode/stackhpc.yml create mode 100644 etc/kayobe/hooks/overcloud-host-configure/post.d/99-cis.yml create mode 100644 releasenotes/notes/adds-cis-hook-8cec8d42103d075e.yaml diff --git a/doc/source/configuration/security-hardening.rst b/doc/source/configuration/security-hardening.rst index f0cd77df3..effb6b820 100644 --- a/doc/source/configuration/security-hardening.rst +++ b/doc/source/configuration/security-hardening.rst @@ -40,3 +40,18 @@ whether or not workloads or API requests are affected by any configuration chang kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cis.yml +Enabling the host configure hook +-------------------------------- + +A hook is pre-installed but its execution is guarded by the +``stackhpc_enable_cis_benchmark_hardening`` configuration option. +If you want the hardening playbooks to run automatically, as part of +host configure, simply set this flag to ``true``: + +.. code-block:: yaml + :caption: $KAYOBE_CONFIG_PATH/stackhpc.yml + + stackhpc_enable_cis_benchmark_hardening: true + +Alternatively, this can be toggled on a per-environment basis by +setting it in an environment specific config file. diff --git a/etc/kayobe/environments/ci-aio/stackhpc.yml b/etc/kayobe/environments/ci-aio/stackhpc.yml new file mode 100644 index 000000000..d31ba2a59 --- /dev/null +++ b/etc/kayobe/environments/ci-aio/stackhpc.yml @@ -0,0 +1,3 @@ +--- + +stackhpc_enable_cis_benchmark_hardening: true diff --git a/etc/kayobe/environments/ci-multinode/stackhpc.yml b/etc/kayobe/environments/ci-multinode/stackhpc.yml new file mode 100644 index 000000000..d31ba2a59 --- /dev/null +++ b/etc/kayobe/environments/ci-multinode/stackhpc.yml @@ -0,0 +1,3 @@ +--- + +stackhpc_enable_cis_benchmark_hardening: true diff --git a/etc/kayobe/hooks/overcloud-host-configure/post.d/99-cis.yml b/etc/kayobe/hooks/overcloud-host-configure/post.d/99-cis.yml new file mode 100644 index 000000000..9c2e9e898 --- /dev/null +++ b/etc/kayobe/hooks/overcloud-host-configure/post.d/99-cis.yml @@ -0,0 +1,4 @@ +--- + +import_playbook: ../../../ansible/cis.yml +when: stackhpc_enable_cis_benchmark_hardening | bool diff --git a/etc/kayobe/stackhpc.yml b/etc/kayobe/stackhpc.yml index bd00b85d6..0df969b13 100644 --- a/etc/kayobe/stackhpc.yml +++ b/etc/kayobe/stackhpc.yml @@ -148,3 +148,9 @@ stackhpc_docker_registry: "{{ pulp_url | regex_replace('^https?://', '') }}" # Username and password of container registry. stackhpc_docker_registry_username: "{{ pulp_username }}" stackhpc_docker_registry_password: "{{ pulp_password }}" + +############################################################################### +# Feature flags + +# Whether or not to run CIS benchmark hardening playbooks +stackhpc_enable_cis_benchmark_hardening: false diff --git a/releasenotes/notes/adds-cis-hook-8cec8d42103d075e.yaml b/releasenotes/notes/adds-cis-hook-8cec8d42103d075e.yaml new file mode 100644 index 000000000..a78386f90 --- /dev/null +++ b/releasenotes/notes/adds-cis-hook-8cec8d42103d075e.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Adds a hook to automatically run the CIS benchmark hardening playbooks as + part of host configure. This is guarded by the + ``stackhpc_enable_cis_benchmark_hardening`` configuration option and is + disabled by default. From 4ded47e08fbff1f2a52725c4ea01c8902e4bf565 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 21 Jun 2024 11:25:33 +0100 Subject: [PATCH 2/8] Support extending default hardening group --- doc/source/configuration/security-hardening.rst | 3 ++- etc/kayobe/ansible/cis.yml | 2 +- etc/kayobe/inventory/group_vars/all/stackhpc | 6 ++++++ etc/kayobe/inventory/groups | 6 ++++++ etc/kayobe/stackhpc.yml | 4 ++-- 5 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 etc/kayobe/inventory/group_vars/all/stackhpc diff --git a/doc/source/configuration/security-hardening.rst b/doc/source/configuration/security-hardening.rst index effb6b820..53a02ab05 100644 --- a/doc/source/configuration/security-hardening.rst +++ b/doc/source/configuration/security-hardening.rst @@ -54,4 +54,5 @@ host configure, simply set this flag to ``true``: stackhpc_enable_cis_benchmark_hardening: true Alternatively, this can be toggled on a per-environment basis by -setting it in an environment specific config file. +setting it in an environment specific config file, or even on +targeted hosts by using group or host vars. diff --git a/etc/kayobe/ansible/cis.yml b/etc/kayobe/ansible/cis.yml index f35906344..a97151f6b 100644 --- a/etc/kayobe/ansible/cis.yml +++ b/etc/kayobe/ansible/cis.yml @@ -1,7 +1,7 @@ --- - name: Security hardening - hosts: overcloud + hosts: cis-hardening become: true tasks: # TODO: Remove this when Red Hat FIPS policy has been updated to allow ed25519 keys. diff --git a/etc/kayobe/inventory/group_vars/all/stackhpc b/etc/kayobe/inventory/group_vars/all/stackhpc new file mode 100644 index 000000000..7c644efd9 --- /dev/null +++ b/etc/kayobe/inventory/group_vars/all/stackhpc @@ -0,0 +1,6 @@ +--- +############################################################################### +# Feature flags + +# Whether or not to run CIS benchmark hardening playbooks. Default is false. +stackhpc_enable_cis_benchmark_hardening: false \ No newline at end of file diff --git a/etc/kayobe/inventory/groups b/etc/kayobe/inventory/groups index d368b1bb2..e957bbc7e 100644 --- a/etc/kayobe/inventory/groups +++ b/etc/kayobe/inventory/groups @@ -125,3 +125,9 @@ rgws [mgrs] [osds] [rgws] + +############################################################################### +# Feature control groups + +[cis-hardening:children] +overcloud diff --git a/etc/kayobe/stackhpc.yml b/etc/kayobe/stackhpc.yml index 0df969b13..aea68f1ba 100644 --- a/etc/kayobe/stackhpc.yml +++ b/etc/kayobe/stackhpc.yml @@ -152,5 +152,5 @@ stackhpc_docker_registry_password: "{{ pulp_password }}" ############################################################################### # Feature flags -# Whether or not to run CIS benchmark hardening playbooks -stackhpc_enable_cis_benchmark_hardening: false +# Whether or not to run CIS benchmark hardening playbooks. Default is false. +#stackhpc_enable_cis_benchmark_hardening: From fd2efb342f6e33420d15dd57a6834dff78a4a5ec Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 21 Jun 2024 11:40:20 +0100 Subject: [PATCH 3/8] Fix hook --- etc/kayobe/hooks/overcloud-host-configure/post.d/99-cis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/kayobe/hooks/overcloud-host-configure/post.d/99-cis.yml b/etc/kayobe/hooks/overcloud-host-configure/post.d/99-cis.yml index 9c2e9e898..e9ce88d89 100644 --- a/etc/kayobe/hooks/overcloud-host-configure/post.d/99-cis.yml +++ b/etc/kayobe/hooks/overcloud-host-configure/post.d/99-cis.yml @@ -1,4 +1,4 @@ --- -import_playbook: ../../../ansible/cis.yml -when: stackhpc_enable_cis_benchmark_hardening | bool +- import_playbook: ../../../ansible/cis.yml + when: stackhpc_enable_cis_benchmark_hardening | bool From 16769f3937daa4e8c7051119dc48941c2a6a2867 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Thu, 27 Jun 2024 16:35:38 +0100 Subject: [PATCH 4/8] Stop changing permissions on files These are causing changes to docker overlay filesystems with possible unintended consequences. It is also really slow to loop through so many files in ansible. --- etc/kayobe/inventory/group_vars/overcloud/cis | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index 40cd0692b..2b66cbee3 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -115,9 +115,22 @@ ubtu22cis_sshd: deny_users: "" deny_groups: "" -# Do not change /var/lib/docker permissions +# Stop the CIS benchmark scanning all files on every filesystem since this +# takes a long time. Related to the changing permissions block below. This +# would normally warn you about violations, but we can use Wazuh to continually +# monitor this. +ubtu22cis_rule_6_1_9: false +ubtu22cis_rule_6_1_10: false +ubtu22cis_rule_6_1_11: false +ubtu22cis_rule_6_1_12: false +ubtu22cis_rule_6_1_13: false + +# The following rules change permissions on all files on every mounted +# filesystem. We do not want to change /var/lib/docker permissions. ubtu22cis_no_group_adjust: false ubtu22cis_no_owner_adjust: false +ubtu22cis_no_world_write_adjust: false +ubtu22cis_suid_adjust: false # Configure log rotation to prevent audit logs from filling the disk ubtu22cis_auditd: From bc5d90b2b14a927e1d4065012b069cdc15a21aaf Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 28 Jun 2024 09:45:29 +0100 Subject: [PATCH 5/8] Do not disable IPV6 by default We are currently prevented in doing so by: https://bugs.launchpad.net/kolla-ansible/+bug/2071443 You only hit this issue after a reboot. --- etc/kayobe/inventory/group_vars/overcloud/cis | 6 ++++++ .../cis-do-not-disable-ipv6-98bd79ad86555f51.yaml | 12 ++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 releasenotes/notes/cis-do-not-disable-ipv6-98bd79ad86555f51.yaml diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index 40cd0692b..e2896abbd 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -133,4 +133,10 @@ ubtu22cis_max_log_file_size: 1024 # ubtu22cis_bootloader_password_hash ubtu22cis_rule_1_4_1: false ubtu22cis_rule_1_4_3: false + +# The way this is disabled currently breaks kolla's IPV6 check, see: +# https://bugs.launchpad.net/kolla-ansible/+bug/2071443 +# Also matches RHEL hardening behavior. +ubtu22cis_ipv6_required: true + ############################################################################## diff --git a/releasenotes/notes/cis-do-not-disable-ipv6-98bd79ad86555f51.yaml b/releasenotes/notes/cis-do-not-disable-ipv6-98bd79ad86555f51.yaml new file mode 100644 index 000000000..beb0cffa1 --- /dev/null +++ b/releasenotes/notes/cis-do-not-disable-ipv6-98bd79ad86555f51.yaml @@ -0,0 +1,12 @@ +--- +fixes: + - | + IPV6 is no longer disabled by default in the Ubuntu CIS hardening. If + using the old behaviour you may hit `2071443 + `. +upgrade: + - | + To match the new CIS benchmark defaults on Ubuntu, you should remove + the ``ipv6.disable=1`` kernel command line option. If you wish to carry + on with the current settings, change ``ubtu22cis_ipv6_required`` to + ``false``. From be8fccb7faa939438ba8cd5159ac67580ad22362 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 21 Jun 2024 17:23:44 +0100 Subject: [PATCH 6/8] Disables password expiration and inactivity policies This was causing the kayobe and kolla service accounts to be locked out of the system. --- etc/kayobe/ansible/cis.yml | 11 ++++++++++ etc/kayobe/inventory/group_vars/overcloud/cis | 20 +++++++++++++++++++ ...able-password-expiry-3c296c72d36cd9da.yaml | 7 +++++++ 3 files changed, 38 insertions(+) create mode 100644 releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml diff --git a/etc/kayobe/ansible/cis.yml b/etc/kayobe/ansible/cis.yml index ffb31c2fe..f286aaec4 100644 --- a/etc/kayobe/ansible/cis.yml +++ b/etc/kayobe/ansible/cis.yml @@ -18,6 +18,17 @@ state: absent when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8' + - name: Ensure service accounts have no expiry options set + # This is to workaround an issue where we set the expiry to 365 days on kayobe + # service accounts in a previous iteration of the CIS benchmark hardening + # defaults. This should restore the defaults and can eventually be removed. + command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }} + become: true + changed_when: false + with_items: + - "{{ kayobe_ansible_user }}" + - "{{ kolla_ansible_user }}" + - include_role: name: ansible-lockdown.rhel8_cis when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8' diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index b20843d37..2584484f0 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -75,6 +75,10 @@ rhel9cis_max_log_file_size: 1024 # `rhel9cis_bootloader_password_hash` rhel9cis_set_boot_pass: false +# NOTICE: rule disabled otherwise rule will prevent access to accounts +# as it will expire passwords older than one year. +rhel9cis_rule_5_6_1_1: false + ############################################################################## # Ubuntu Jammy CIS Hardening Configuration @@ -159,4 +163,20 @@ ubtu22cis_max_log_file_size: 1024 # ubtu22cis_bootloader_password_hash ubtu22cis_rule_1_4_1: false ubtu22cis_rule_1_4_3: false + +# Disable: Ensure minimum days between password changes is configured +ubtu22cis_rule_5_5_1_1: false + +# Disable: Ensure password expiration is 365 days or less +ubtu22cis_rule_5_5_1_2: false + +# Disable: Ensure password expiration warning days is 7 or more +ubtu22cis_rule_5_5_1_3: false + +# Disable: Ensure inactive password lock is 30 days or less +ubtu22cis_rule_5_5_1_4: false + +# Disable: Ensure all users last password change date is in the past +ubtu22cis_rule_5_5_1_5: false + ############################################################################## diff --git a/releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml b/releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml new file mode 100644 index 000000000..3ad5e55b9 --- /dev/null +++ b/releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml @@ -0,0 +1,7 @@ +--- +critical: + - | + Disables password expiration and inactivity policies. This caused the kayobe + and kolla service accounts to be locked out of the system. You should re-apply + the CIS benchmark hardening playbook as soon as possible to avoid being locked + out of your system. From ee35591b3b4aa878c954a9672a2ca2d623355531 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Wed, 10 Jul 2024 11:59:57 +0100 Subject: [PATCH 7/8] Update name of variable --- .../configuration/security-hardening.rst | 18 ++++++++++++++++-- etc/kayobe/environments/ci-aio/stackhpc.yml | 2 +- .../environments/ci-multinode/stackhpc.yml | 2 +- .../overcloud-host-configure/post.d/99-cis.yml | 2 +- etc/kayobe/inventory/group_vars/all/stackhpc | 2 +- etc/kayobe/stackhpc.yml | 2 +- .../notes/adds-cis-hook-8cec8d42103d075e.yaml | 2 +- 7 files changed, 22 insertions(+), 8 deletions(-) diff --git a/doc/source/configuration/security-hardening.rst b/doc/source/configuration/security-hardening.rst index 53a02ab05..40850767b 100644 --- a/doc/source/configuration/security-hardening.rst +++ b/doc/source/configuration/security-hardening.rst @@ -40,18 +40,32 @@ whether or not workloads or API requests are affected by any configuration chang kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cis.yml +Targetting additional hosts +--------------------------- + +The ``cis.yml`` playbook targets hosts in the ``cis-hardening`` group. By +default this includes the ``overcloud`` group. You can adjust this group +to suit your needs, e.g to add the seed VM: + +.. code-block:: yaml + :caption: $KAYOBE_CONFIG_PATH/inventory/groups + + [cis-hardening:children] + overcloud + seed + Enabling the host configure hook -------------------------------- A hook is pre-installed but its execution is guarded by the -``stackhpc_enable_cis_benchmark_hardening`` configuration option. +``stackhpc_enable_cis_benchmark_hardening_hook`` configuration option. If you want the hardening playbooks to run automatically, as part of host configure, simply set this flag to ``true``: .. code-block:: yaml :caption: $KAYOBE_CONFIG_PATH/stackhpc.yml - stackhpc_enable_cis_benchmark_hardening: true + stackhpc_enable_cis_benchmark_hardening_hook: true Alternatively, this can be toggled on a per-environment basis by setting it in an environment specific config file, or even on diff --git a/etc/kayobe/environments/ci-aio/stackhpc.yml b/etc/kayobe/environments/ci-aio/stackhpc.yml index d31ba2a59..a2c7858bb 100644 --- a/etc/kayobe/environments/ci-aio/stackhpc.yml +++ b/etc/kayobe/environments/ci-aio/stackhpc.yml @@ -1,3 +1,3 @@ --- -stackhpc_enable_cis_benchmark_hardening: true +stackhpc_enable_cis_benchmark_hardening_hook: true diff --git a/etc/kayobe/environments/ci-multinode/stackhpc.yml b/etc/kayobe/environments/ci-multinode/stackhpc.yml index d31ba2a59..a2c7858bb 100644 --- a/etc/kayobe/environments/ci-multinode/stackhpc.yml +++ b/etc/kayobe/environments/ci-multinode/stackhpc.yml @@ -1,3 +1,3 @@ --- -stackhpc_enable_cis_benchmark_hardening: true +stackhpc_enable_cis_benchmark_hardening_hook: true diff --git a/etc/kayobe/hooks/overcloud-host-configure/post.d/99-cis.yml b/etc/kayobe/hooks/overcloud-host-configure/post.d/99-cis.yml index e9ce88d89..9c132efbc 100644 --- a/etc/kayobe/hooks/overcloud-host-configure/post.d/99-cis.yml +++ b/etc/kayobe/hooks/overcloud-host-configure/post.d/99-cis.yml @@ -1,4 +1,4 @@ --- - import_playbook: ../../../ansible/cis.yml - when: stackhpc_enable_cis_benchmark_hardening | bool + when: stackhpc_enable_cis_benchmark_hardening_hook | bool diff --git a/etc/kayobe/inventory/group_vars/all/stackhpc b/etc/kayobe/inventory/group_vars/all/stackhpc index 7c644efd9..528733ebc 100644 --- a/etc/kayobe/inventory/group_vars/all/stackhpc +++ b/etc/kayobe/inventory/group_vars/all/stackhpc @@ -3,4 +3,4 @@ # Feature flags # Whether or not to run CIS benchmark hardening playbooks. Default is false. -stackhpc_enable_cis_benchmark_hardening: false \ No newline at end of file +stackhpc_enable_cis_benchmark_hardening_hook: false \ No newline at end of file diff --git a/etc/kayobe/stackhpc.yml b/etc/kayobe/stackhpc.yml index ffeee66d3..c149e9d7b 100644 --- a/etc/kayobe/stackhpc.yml +++ b/etc/kayobe/stackhpc.yml @@ -157,4 +157,4 @@ stackhpc_docker_registry_password: "{{ pulp_password }}" # Feature flags # Whether or not to run CIS benchmark hardening playbooks. Default is false. -#stackhpc_enable_cis_benchmark_hardening: +#stackhpc_enable_cis_benchmark_hardening_hook: diff --git a/releasenotes/notes/adds-cis-hook-8cec8d42103d075e.yaml b/releasenotes/notes/adds-cis-hook-8cec8d42103d075e.yaml index a78386f90..63c3bd0e0 100644 --- a/releasenotes/notes/adds-cis-hook-8cec8d42103d075e.yaml +++ b/releasenotes/notes/adds-cis-hook-8cec8d42103d075e.yaml @@ -3,5 +3,5 @@ features: - | Adds a hook to automatically run the CIS benchmark hardening playbooks as part of host configure. This is guarded by the - ``stackhpc_enable_cis_benchmark_hardening`` configuration option and is + ``stackhpc_enable_cis_benchmark_hardening_hook`` configuration option and is disabled by default. From 4bfa6177bd7a9165f1a964594ecf68c69d1933de Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Wed, 10 Jul 2024 12:13:36 +0100 Subject: [PATCH 8/8] Add note about needing to reboot --- doc/source/configuration/security-hardening.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/source/configuration/security-hardening.rst b/doc/source/configuration/security-hardening.rst index 40850767b..e958011f7 100644 --- a/doc/source/configuration/security-hardening.rst +++ b/doc/source/configuration/security-hardening.rst @@ -31,6 +31,14 @@ about what each variable does. The documentation can be found here: Running the playbooks --------------------- +.. note:: + + The hosts may need rebooting to fully pick up all of the changes. The CIS + roles will warn you when this needs to be done, but the actual reboot is left + as a manual operation to allow you to select a convenient time. Generally, if + you are applying the hardening for the first time, then you will need to + reboot. + As there is potential for unintended side effects when applying the hardening playbooks, the playbooks are not currently enabled by default. It is recommended that they are first applied to a representative staging environment to determine