From c507b600aeac4ef8910f54ce133f337195410154 Mon Sep 17 00:00:00 2001
From: Will Szumski <will@stackhpc.com>
Date: Thu, 16 Nov 2023 15:48:25 +0000
Subject: [PATCH 1/2] Fixes various issues with the cis.yml playbook

See release note for details.
---
 .../configuration/security-hardening.rst      | 10 +++++
 etc/kayobe/ansible/requirements.yml           | 12 +++---
 etc/kayobe/inventory/group_vars/overcloud/cis | 42 ++++++++++++-------
 requirements.txt                              |  1 +
 4 files changed, 44 insertions(+), 21 deletions(-)

diff --git a/doc/source/configuration/security-hardening.rst b/doc/source/configuration/security-hardening.rst
index 2d7c6a6fd..2d48c4e06 100644
--- a/doc/source/configuration/security-hardening.rst
+++ b/doc/source/configuration/security-hardening.rst
@@ -33,6 +33,16 @@ about what each variable does. The documentation can be found here:
 Running the playbooks
 ---------------------
 
+.. note:
+
+  On CentOS 8, you must run with `INJECT_FACT_AS_VARS <https://docs.ansible.com/ansible/latest/reference_appendices/config.html#inject-facts-as-vars>`__
+  enabled. To do this you for this playbook only, you can use:
+
+  .. code-block: shell
+
+    ANSIBLE_INJECT_FACT_VARS=true kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cis.yml
+
+
 As there is potential for unintended side effects when applying the hardening
 playbooks, the playbooks are not currently enabled by default. It is recommended
 that they are first applied to a representative staging environment to determine
diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml
index 91408df6e..6963dfafc 100644
--- a/etc/kayobe/ansible/requirements.yml
+++ b/etc/kayobe/ansible/requirements.yml
@@ -16,15 +16,15 @@ roles:
     src: https://github.com/ansible-lockdown/RHEL8-CIS
     version: 1.3.0
   - name: ansible-lockdown.ubuntu22_cis
-    src: https://github.com/ansible-lockdown//UBUNTU22-CIS
-    #FIXME: Waiting for https://github.com/ansible-lockdown/UBUNTU22-CIS/pull/132
+    src: https://github.com/stackhpc/UBUNTU22-CIS
+    #FIXME: https://github.com/ansible-lockdown/UBUNTU22-CIS/pull/174
     # to be in a tagged release
-    version: c91a1038fd218f727075d21b2d0880751322b162
+    version: bugfix/inject-facts
   - name: ansible-lockdown.rhel9_cis
-    src: https://github.com/ansible-lockdown/RHEL9-CIS
-    #FIXME: Waiting for https://github.com/ansible-lockdown/RHEL9-CIS/pull/54
+    src: https://github.com/stackhpc/RHEL9-CIS
+    #FIXME: Waiting for https://github.com/ansible-lockdown/RHEL9-CIS/pull/115
     # to be in a tagged release.
-    version: 3525cb6aab12a3d1e34aa8432ed77dd76be6a44a
+    version: bugfix/inject-facts
   - name: wazuh-ansible
     src: https://github.com/stackhpc/wazuh-ansible
     version: stackhpc
diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis
index 519aeab8b..b20843d37 100644
--- a/etc/kayobe/inventory/group_vars/overcloud/cis
+++ b/etc/kayobe/inventory/group_vars/overcloud/cis
@@ -71,6 +71,10 @@ rhel9cis_auditd:
 # Max size of audit logs (MB)
 rhel9cis_max_log_file_size: 1024
 
+# Disable setting of boatloader password. This requires setting the variable
+# `rhel9cis_bootloader_password_hash`
+rhel9cis_set_boot_pass: false
+
 ##############################################################################
 # Ubuntu Jammy CIS Hardening Configuration
 
@@ -106,27 +110,35 @@ ubtu22cis_rule_5_3_4: false
 ubtu22cis_sshd:
   log_level: "INFO"
   max_auth_tries: 4
-  ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
-  macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"
-  kex_algorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
+  ciphers:
+      - chacha20-poly1305@openssh.com
+      - aes256-gcm@openssh.com
+      - aes128-gcm@openssh.com
+      - aes256-ctr
+      - aes192-ctr
+      - aes128-ctr
+  macs:
+      - hmac-sha2-512-etm@openssh.com
+      - hmac-sha2-256-etm@openssh.com
+      - hmac-sha2-512
+      - hmac-sha2-256
+  kex_algorithms:
+      - curve25519-sha256
+      - curve25519-sha256@libssh.org
+      - diffie-hellman-group14-sha256
+      - diffie-hellman-group16-sha512
+      - diffie-hellman-group18-sha512
+      - ecdh-sha2-nistp521
+      - ecdh-sha2-nistp384
+      - ecdh-sha2-nistp256
+      - diffie-hellman-group-exchange-sha256
   client_alive_interval: 300
   client_alive_count_max: 3
   login_grace_time: 60
-  max_sessions: 10
+  max_sessions: 8
   allow_users: "kolla stack ubuntu"
   allow_groups: "kolla stack ubuntu"
-  # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
-  # for users whose user name matches one of the patterns. This is done
-  # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
-  # If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
-  # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
-  # For more info, see https://linux.die.net/man/5/sshd_config
   deny_users: ""
-  # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
-  # for users whose primary group or supplementary group list matches one of the patterns. This is done
-  # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
-  # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
-  # For more info, see https://linux.die.net/man/5/sshd_config
   deny_groups: ""
 
 # Do not change /var/lib/docker permissions
diff --git a/requirements.txt b/requirements.txt
index da44bf018..0ca7aab63 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,3 +1,4 @@
 kayobe@git+https://github.com/stackhpc/kayobe@stackhpc/yoga
 ansible-modules-hashivault@git+https://github.com/stackhpc/ansible-modules-hashivault@stackhpc;python_version < "3.8"
 ansible-modules-hashivault;python_version >= "3.8"
+jmespath

From b35e143ea82e82d55b54e377f2a406f76d23bfc4 Mon Sep 17 00:00:00 2001
From: Will Szumski <will@stackhpc.com>
Date: Fri, 17 Nov 2023 17:07:50 +0000
Subject: [PATCH 2/2] Apply suggestions from code review

Co-authored-by: Mark Goddard <mark@stackhpc.com>
---
 doc/source/configuration/security-hardening.rst | 2 +-
 etc/kayobe/ansible/requirements.yml             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/source/configuration/security-hardening.rst b/doc/source/configuration/security-hardening.rst
index 2d48c4e06..a65812513 100644
--- a/doc/source/configuration/security-hardening.rst
+++ b/doc/source/configuration/security-hardening.rst
@@ -36,7 +36,7 @@ Running the playbooks
 .. note:
 
   On CentOS 8, you must run with `INJECT_FACT_AS_VARS <https://docs.ansible.com/ansible/latest/reference_appendices/config.html#inject-facts-as-vars>`__
-  enabled. To do this you for this playbook only, you can use:
+  enabled. To do this for this playbook only, you can use:
 
   .. code-block: shell
 
diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml
index 6963dfafc..b66c45052 100644
--- a/etc/kayobe/ansible/requirements.yml
+++ b/etc/kayobe/ansible/requirements.yml
@@ -17,7 +17,7 @@ roles:
     version: 1.3.0
   - name: ansible-lockdown.ubuntu22_cis
     src: https://github.com/stackhpc/UBUNTU22-CIS
-    #FIXME: https://github.com/ansible-lockdown/UBUNTU22-CIS/pull/174
+    #FIXME: Waiting for https://github.com/ansible-lockdown/UBUNTU22-CIS/pull/174
     # to be in a tagged release
     version: bugfix/inject-facts
   - name: ansible-lockdown.rhel9_cis