stackhpc · jovial · Jun 21, 2024 · Jun 21, 2024 · Jun 21, 2024 · Jun 27, 2024
@@ -31,6 +31,14 @@ about what each variable does. The documentation can be found here:
 Running the playbooks
 ---------------------
 
+.. note::
+
+  The hosts may need rebooting to fully pick up all of the changes. The CIS
+  roles will warn you when this needs to be done, but the actual reboot is left
+  as a manual operation to allow you to select a convenient time. Generally, if
+  you are applying the hardening for the first time, then you will need to
+  reboot.
+
 As there is potential for unintended side effects when applying the hardening
 playbooks, the playbooks are not currently enabled by default. It is recommended
 that they are first applied to a representative staging environment to determine
@@ -40,3 +48,33 @@ whether or not workloads or API requests are affected by any configuration chang
 
     kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cis.yml
 
+Targetting additional hosts
+---------------------------
+
+The ``cis.yml`` playbook targets hosts in the ``cis-hardening`` group. By
+default this includes the ``overcloud`` group. You can adjust this group
+to suit your needs, e.g to add the seed VM:
+
+.. code-block:: yaml
+  :caption: $KAYOBE_CONFIG_PATH/inventory/groups
+
+  [cis-hardening:children]
+  overcloud
+  seed
+
+Enabling the host configure hook
+--------------------------------
+
+A hook is pre-installed but its execution is guarded by the
+``stackhpc_enable_cis_benchmark_hardening_hook`` configuration option.
+If you want the hardening playbooks to run automatically, as part of
+host configure, simply set this flag to ``true``:
+
+.. code-block:: yaml
+  :caption: $KAYOBE_CONFIG_PATH/stackhpc.yml
+
+    stackhpc_enable_cis_benchmark_hardening_hook: true
+
+Alternatively, this can be toggled on a per-environment basis by
+setting it in an environment specific config file, or even on
+targeted hosts by using group or host vars.
@@ -1,7 +1,7 @@
 ---
 
 - name: Security hardening
-  hosts: overcloud
+  hosts: cis-hardening
   become: true
   tasks:
     # TODO: Remove this when Red Hat FIPS policy has been updated to allow ed25519 keys.
@@ -19,6 +19,17 @@
         state: present
       when: ansible_facts.distribution == 'Ubuntu'
 
+    - name: Ensure service accounts have no expiry options set
+      # This is to workaround an issue where we set the expiry to 365 days on kayobe
+      # service accounts in a previous iteration of the CIS benchmark hardening
+      # defaults. This should restore the defaults and can eventually be removed.
+      command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
+      become: true
+      changed_when: false
+      with_items:
+        - "{{ kayobe_ansible_user }}"
+        - "{{ kolla_ansible_user }}"
+
     - include_role:
         name: ansible-lockdown.rhel9_cis
       when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9'

@@ -0,0 +1,3 @@
+---
+
+stackhpc_enable_cis_benchmark_hardening_hook: true
@@ -0,0 +1,3 @@
+---
+
+stackhpc_enable_cis_benchmark_hardening_hook: true
@@ -0,0 +1,4 @@
+---
+
+- import_playbook: ../../../ansible/cis.yml
+  when: stackhpc_enable_cis_benchmark_hardening_hook | bool
@@ -0,0 +1,6 @@
+---
+###############################################################################
+# Feature flags
+
+# Whether or not to run CIS benchmark hardening playbooks. Default is false.
+stackhpc_enable_cis_benchmark_hardening_hook: false
@@ -49,6 +49,10 @@ rhel9cis_max_log_file_size: 1024
 # `rhel9cis_bootloader_password_hash`
 rhel9cis_set_boot_pass: false
 
+# NOTICE: rule disabled otherwise rule will prevent access to accounts
+# as it will expire passwords older than one year.
+rhel9cis_rule_5_6_1_1: false
+
 ##############################################################################
 # Ubuntu Jammy CIS Hardening Configuration
 
@@ -115,9 +119,22 @@ ubtu22cis_sshd:
   deny_users: ""
   deny_groups: ""
 
-# Do not change /var/lib/docker permissions
+# Stop the CIS benchmark scanning all files on every filesystem since this
+# takes a long time. Related to the changing permissions block below. This
+# would normally warn you about violations, but we can use Wazuh to continually
+# monitor this.
+ubtu22cis_rule_6_1_9: false
+ubtu22cis_rule_6_1_10: false
+ubtu22cis_rule_6_1_11: false
+ubtu22cis_rule_6_1_12: false
+ubtu22cis_rule_6_1_13: false
+
+# The following rules change permissions on all files on every mounted
+# filesystem.  We do not want to change /var/lib/docker permissions.
 ubtu22cis_no_group_adjust: false
 ubtu22cis_no_owner_adjust: false
+ubtu22cis_no_world_write_adjust: false
+ubtu22cis_suid_adjust: false
 
 # Configure log rotation to prevent audit logs from filling the disk
 ubtu22cis_auditd:
@@ -133,4 +150,25 @@ ubtu22cis_max_log_file_size: 1024
 # ubtu22cis_bootloader_password_hash
 ubtu22cis_rule_1_4_1: false
 ubtu22cis_rule_1_4_3: false
+
+# The way this is disabled currently breaks kolla's IPV6 check, see:
+# https://bugs.launchpad.net/kolla-ansible/+bug/2071443
+# Also matches RHEL hardening behavior.
+ubtu22cis_ipv6_required: true
+
+# Disable: Ensure minimum days between password changes is configured
+ubtu22cis_rule_5_5_1_1: false
+
+# Disable: Ensure password expiration is 365 days or less
+ubtu22cis_rule_5_5_1_2: false
+
+# Disable: Ensure password expiration warning days is 7 or more
+ubtu22cis_rule_5_5_1_3: false
+
+# Disable: Ensure inactive password lock is 30 days or less
+ubtu22cis_rule_5_5_1_4: false
+
+# Disable: Ensure all users last password change date is in the past
+ubtu22cis_rule_5_5_1_5: false
+
 ##############################################################################
@@ -125,3 +125,9 @@ rgws
 [mgrs]
 [osds]
 [rgws]
+
+###############################################################################
+# Feature control groups
+
+[cis-hardening:children]
+overcloud
@@ -152,3 +152,9 @@ stackhpc_docker_registry: "{{ pulp_url | regex_replace('^https?://', '') }}"
 # Username and password of container registry.
 stackhpc_docker_registry_username: "{{ pulp_username }}"
 stackhpc_docker_registry_password: "{{ pulp_password }}"
+
+###############################################################################
+# Feature flags
+
+# Whether or not to run CIS benchmark hardening playbooks. Default is false.
+#stackhpc_enable_cis_benchmark_hardening_hook:
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Adds a hook to automatically run the CIS benchmark hardening playbooks as
+    part of host configure. This is guarded by the
+    ``stackhpc_enable_cis_benchmark_hardening_hook`` configuration option and is
+    disabled by default.
@@ -0,0 +1,12 @@
+---
+fixes:
+  - |
+    IPV6 is no longer disabled by default in the Ubuntu CIS hardening.  If
+    using the old behaviour you may hit `2071443
+    <https://bugs.launchpad.net/kolla-ansible/+bug/2071443>`.
+upgrade:
+  - |
+    To match the new CIS benchmark defaults on Ubuntu, you should remove
+    the ``ipv6.disable=1`` kernel command line option. If you wish to carry
+    on with the current settings, change ``ubtu22cis_ipv6_required`` to
+    ``false``.
@@ -0,0 +1,7 @@
+---
+critical:
+  - |
+    Disables password expiration and inactivity policies. This caused the kayobe
+    and kolla service accounts to be locked out of the system. You should re-apply
+    the CIS benchmark hardening playbook as soon as possible to avoid being locked
+    out of your system.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		---

		stackhpc_enable_cis_benchmark_hardening_hook: true