Enable CIS hardening for Ubuntu Noble

Alex-Welsh · stackhpc-ci · commit 3f00e9a2037f · 2025-10-24T16:13:08.000+01:00
diff --git a/etc/kayobe/ansible/maintenance/cis.yml b/etc/kayobe/ansible/maintenance/cis.yml
@@ -1,5 +1,5 @@
 ---
-- name: Security hardening
+- name: CIS - Prerequisites
   hosts: cis-hardening
   become: true
   tags:
@@ -31,12 +31,18 @@
         - "{{ kayobe_ansible_user }}"
         - "{{ kolla_ansible_user }}"
 
+- name: Security hardening
+  hosts: cis-hardening
+  become: true
+  tags:
+    - cis
+  tasks:
     - name: Run CIS hardening role (RHEL 9)
       ansible.builtin.include_role:
         name: ansible-lockdown.rhel9_cis
       when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9'
 
-    - name: Run CIS hardening role (Ubuntu 22)
+    - name: Run CIS hardening role (Ubuntu 24)
       ansible.builtin.include_role:
-        name: ansible-lockdown.ubuntu22_cis
-      when: ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version == '22'
+        name: ansible-lockdown.ubuntu24_cis
+      when: ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version == '24'
diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml
@@ -17,7 +17,7 @@ roles:
     version: 1.1.0
   - name: ansible-lockdown.ubuntu24_cis
     src: https://github.com/ansible-lockdown/UBUNTU24-CIS
-    version: 1.0.1
+    version: 1.0.4
   - name: ansible-lockdown.rhel9_cis
     src: https://github.com/ansible-lockdown/RHEL9-CIS
     version: v1.3.4
diff --git a/etc/kayobe/inventory/group_vars/cis-hardening/cis b/etc/kayobe/inventory/group_vars/cis-hardening/cis
@@ -75,7 +75,9 @@ rhel9cis_rule_5_6_1_1: false
 
 ##############################################################################
 # Ubuntu Noble CIS Hardening Configuration
-# FIXME: These settings are untested, they are just carried over from Jammy
+
+# Stop general "High Disruption" tasks
+ubtu24cis_disruption_high: false
 
 # Ubuntu 24 CIS configuration
 # Disable changing routing rules
@@ -93,17 +95,16 @@ ubtu24cis_install_network_manager: false
 # Set syslog service to journald
 ubtu24cis_syslog_service: journald
 
-# Squashfs is compiled into the kernel
-ubtu24cis_rule_1_1_1_2: false
+# Allow rsync server
+ubtu24cis_rsync_server: true
 
-# This updates the system. Let's do this explicitly.
-ubtu24cis_rule_1_9: false
+# AIDE doesn't play well with hosts that have been upgraded from Jammy to Noble
+ubtu24cis_config_aide: false
 
 # Do not change Chrony Time servers
-ubtu24cis_rule_2_1_2_1: false
-
-# Disable CIS from touching sudoers
-ubtu24cis_rule_5_3_4: false
+ubtu24cis_rule_2_3_3_1: false
+ubtu24cis_rule_2_3_3_2: false
+ubtu24cis_rule_2_3_3_3: false
 
 # Add stack and kolla to allowed ssh users
 ubtu24cis_sshd:
@@ -144,21 +145,15 @@ ubtu24cis_sshd:
 # takes a long time. Related to the changing permissions block below. This
 # would normally warn you about violations, but we can use Wazuh to continually
 # monitor this.
-ubtu24cis_rule_6_1_9: false
-ubtu24cis_rule_6_1_10: false
-ubtu24cis_rule_6_1_11: false
-ubtu24cis_rule_6_1_12: false
-ubtu24cis_rule_6_1_13: false
+ubtu24cis_rule_6_3_1: true
+ubtu24cis_rule_6_3_2: true
+ubtu24cis_rule_6_3_3: true
 
 # The following rules change permissions on all files on every mounted
 # filesystem.  We do not want to change /var/lib/docker permissions.
-ubtu24cis_no_group_adjust: false
-ubtu24cis_no_owner_adjust: false
+ubtu24cis_ownership_adjust: false
 ubtu24cis_no_world_write_adjust: false
-ubtu24cis_suid_adjust: false
-
-# Prevent hardening from recursivley changing permissions on log files
-ubtu24cis_rule_4_2_3: false
+ubtu24cis_suid_sgid_adjust: false
 
 # Configure log rotation to prevent audit logs from filling the disk
 ubtu24cis_auditd:
@@ -175,20 +170,21 @@ ubtu24cis_max_log_file_size: 1024
 ubtu24cis_rule_1_4_1: false
 ubtu24cis_rule_1_4_3: false
 
-# Disable: Ensure minimum days between password changes is configured
-ubtu24cis_rule_5_5_1_1: false
 
-# Disable: Ensure password expiration is 365 days or less
-ubtu24cis_rule_5_5_1_2: false
+# Disable minimum days between password changes
+ubtu24cis_rule_5_4_1_1: false
+ubtu24cis_rule_5_4_1_2: false
+ubtu24cis_rule_5_4_1_3: false
+ubtu24cis_rule_5_4_1_5: false
+ubtu24cis_rule_5_4_1_6: false
 
-# Disable: Ensure inactive password lock is 30 days or less
-ubtu24cis_rule_5_5_1_4: false
+# Do not require a sudo password
+ubtu24cis_rule_5_2_4: false
 
-# Disable: Ensure all users last password change date is in the past
-ubtu24cis_rule_5_5_1_5: false
+# Do not require a root password
+ubtu24cis_rule_5_4_2_4: false
 
 # The way this is disabled currently breaks kolla's IPV6 check, see:
 # https://bugs.launchpad.net/kolla-ansible/+bug/2071443
 # Also matches RHEL hardening behavior.
 ubtu24cis_ipv6_required: true
-
