diff --git a/etc/kayobe/ansible/cis.yml b/etc/kayobe/ansible/cis.yml
new file mode 100644
index 000000000..ce6445359
--- /dev/null
+++ b/etc/kayobe/ansible/cis.yml
@@ -0,0 +1,15 @@
+---
+
+- name: Security hardening
+  hosts: overcloud
+  become: true
+  tasks:
+    - name: Remove /etc/motd
+      # See remediation in:
+      # https://github.com/wazuh/wazuh/blob/bfa4efcf11e288c0a8809dc0b45fdce42fab8e0d/ruleset/sca/centos/8/cis_centos8_linux.yml#L777
+      file:
+        path: /etc/motd
+        state: absent
+
+    - include_role:
+        name: ansible-lockdown.rhel8_cis
diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml
index 77aaa9f99..88378502a 100644
--- a/etc/kayobe/ansible/requirements.yml
+++ b/etc/kayobe/ansible/requirements.yml
@@ -6,3 +6,6 @@ collections:
     version: 0.4.1
 roles:
   - src: stackhpc.vxlan
+  - name: ansible-lockdown.rhel8_cis
+    src: https://github.com/ansible-lockdown/RHEL8-CIS
+    version: 1.3.0
diff --git a/etc/kayobe/inventory/group_vars/controllers/cis b/etc/kayobe/inventory/group_vars/controllers/cis
new file mode 100644
index 000000000..354a5353f
--- /dev/null
+++ b/etc/kayobe/inventory/group_vars/controllers/cis
@@ -0,0 +1,4 @@
+---
+
+rhel8cis_is_router: true
+
diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis
new file mode 100644
index 000000000..81fb151e8
--- /dev/null
+++ b/etc/kayobe/inventory/group_vars/overcloud/cis
@@ -0,0 +1,24 @@
+---
+
+# NOTE: kayobe configures NTP. Do not clobber configuration.
+rhel8cis_time_synchronization: skip
+rhel8cis_rule_2_2_1_1: false
+rhel8cis_rule_2_2_1_2: false
+
+# NOTE: disable CIS rolefirewall configuration
+rhel8cis_firewall: skip
+rhel8cis_rule_3_4_1_1: false
+
+# NOTE: kayobe does not currently support selinux
+rhel8cis_selinux_disable: true
+
+# NOTE: This updates the system. Let's do this explicitly.
+rhel8cis_rule_1_9: false
+
+# NOTE: FUTURE breaks wazuh agent repo metadata download
+rhel8cis_crypto_policy: FIPS
+
+# NOTE: We will remove /etc/motd instead. This prevents a duplicate warning
+# from being displayed.
+rhel8cis_rule_1_8_1_1: false
+rhel8cis_rule_1_8_1_4: false