Enable CIS hardening for Ubuntu Noble

Author: Alex-Welsh

etc/kayobe/ansible/maintenance/cis.yml

@@ -36,7 +36,7 @@
         name: ansible-lockdown.rhel9_cis
       when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9'
 
-    - name: Run CIS hardening role (Ubuntu 22)
+    - name: Run CIS hardening role (Ubuntu 24)
       ansible.builtin.include_role:
-        name: ansible-lockdown.ubuntu22_cis
-      when: ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version == '22'
+        name: ansible-lockdown.ubuntu24_cis
+      when: ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version == '24'

etc/kayobe/inventory/group_vars/cis-hardening/cis

@@ -75,7 +75,9 @@ rhel9cis_rule_5_6_1_1: false
 
 ##############################################################################
 # Ubuntu Noble CIS Hardening Configuration
-# FIXME: These settings are untested, they are just carried over from Jammy
+
+# Stop general "High Disruption" tasks
+ubtu24cis_disruption_high: false
 
 # Ubuntu 24 CIS configuration
 # Disable changing routing rules
@@ -94,16 +96,15 @@ ubtu24cis_install_network_manager: false
 ubtu24cis_syslog_service: journald
 
 # Squashfs is compiled into the kernel
-ubtu24cis_rule_1_1_1_2: false
+# ubtu24cis_rule_1_1_1_2: false
 
 # This updates the system. Let's do this explicitly.
-ubtu24cis_rule_1_9: false
+# ubtu24cis_rule_1_9: false
 
 # Do not change Chrony Time servers
-ubtu24cis_rule_2_1_2_1: false
-
-# Disable CIS from touching sudoers
-ubtu24cis_rule_5_3_4: false
+ubtu22cis_rule_2_3_3_1: false
+ubtu22cis_rule_2_3_3_2: false
+ubtu22cis_rule_2_3_3_3: false
 
 # Add stack and kolla to allowed ssh users
 ubtu24cis_sshd:
@@ -144,21 +145,17 @@ ubtu24cis_sshd:
 # takes a long time. Related to the changing permissions block below. This
 # would normally warn you about violations, but we can use Wazuh to continually
 # monitor this.
-ubtu24cis_rule_6_1_9: false
-ubtu24cis_rule_6_1_10: false
-ubtu24cis_rule_6_1_11: false
-ubtu24cis_rule_6_1_12: false
-ubtu24cis_rule_6_1_13: false
+ubtu24cis_rule_6_3_1: true
+ubtu24cis_rule_6_3_2: true
+ubtu24cis_rule_6_3_3: true
 
 # The following rules change permissions on all files on every mounted
 # filesystem.  We do not want to change /var/lib/docker permissions.
-ubtu24cis_no_group_adjust: false
-ubtu24cis_no_owner_adjust: false
+ubtu24cis_ownership_adjust: false
 ubtu24cis_no_world_write_adjust: false
-ubtu24cis_suid_adjust: false
+ubtu24cis_suid_sgid_adjust: false
 
 # Prevent hardening from recursivley changing permissions on log files
-ubtu24cis_rule_4_2_3: false
 
 # Configure log rotation to prevent audit logs from filling the disk
 ubtu24cis_auditd:
@@ -175,20 +172,17 @@ ubtu24cis_max_log_file_size: 1024
 ubtu24cis_rule_1_4_1: false
 ubtu24cis_rule_1_4_3: false
 
-# Disable: Ensure minimum days between password changes is configured
-ubtu24cis_rule_5_5_1_1: false
-
-# Disable: Ensure password expiration is 365 days or less
-ubtu24cis_rule_5_5_1_2: false
+# Disable minimum days between password changes
+ubtu24cis_rule_5_4_1_1: false
+ubtu24cis_rule_5_4_1_2: false
+ubtu24cis_rule_5_4_1_3: false
+ubtu24cis_rule_5_4_1_5: false
+ubtu24cis_rule_5_4_1_6: false
 
-# Disable: Ensure inactive password lock is 30 days or less
-ubtu24cis_rule_5_5_1_4: false
-
-# Disable: Ensure all users last password change date is in the past
-ubtu24cis_rule_5_5_1_5: false
+# Do not require a root password
+ubtu24cis_rule_5_4_2_4: false
 
 # The way this is disabled currently breaks kolla's IPV6 check, see:
 # https://bugs.launchpad.net/kolla-ansible/+bug/2071443
 # Also matches RHEL hardening behavior.
 ubtu24cis_ipv6_required: true
-