{"id":162,"sha1":"d0a0643d79e67f09324c8c138c8bf9369c27cfb3","playbook":{"id":2,"items":{"plays":18,"tasks":603,"results":2357,"hosts":15,"files":157,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":4,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-hosts.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-14T10:04:43.190296Z","ended":"2025-12-14T10:14:53.851603Z","duration":"00:10:10.661307","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.13.5","server_version":"1.7.4","status":"completed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2015, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n- name: Create temporary directory to hold any temporary files\n  ansible.builtin.tempfile:\n    state: directory\n    suffix: hardening\n  register: mktemp_result\n  when:\n    - not check_mode | bool\n  tags:\n    - always\n\n- name: Set a fact for the temporary directory\n  ansible.builtin.set_fact:\n    temp_dir: \"{{ mktemp_result.path }}\"\n  changed_when: false\n  when:\n    - not check_mode | bool\n  tags:\n    - always\n\n# Some of the tasks in the role may take a long time to run. Let's start them\n# as early as possible so they have time to finish.\n- name: Importing async_tasks tasks\n  ansible.builtin.import_tasks: async_tasks.yml\n- name: Get user data for all users on the system\n  get_users:\n    min_uid: 0\n  register: hardening_user_list\n  check_mode: false\n  tags:\n    - always\n\n- name: Get user data for all interactive users on the system\n  get_users:\n    min_uid: \"{{ security_interactive_user_minimum_uid }}\"\n  register: interactive_user_list\n  check_mode: false\n  tags:\n    - always\n\n# NOTE(mhayden): EPEL is only needed for the clamav packages. We should only\n# install EPEL if the deployer asked for clamav to be installed.\n- name: Install EPEL repository\n  ansible.builtin.dnf:\n    name: \"{{ security_epel_release_package }}\"\n    state: \"{{ security_package_state }}\"\n  when:\n    - ansible_facts['pkg_mgr'] == 'dnf'\n    - security_epel_install_repository | bool\n    - security_enable_virus_scanner | bool\n  tags:\n    - always\n\n# Package installations and removals must come first so that configuration\n# changes can be made later.\n- name: Importing packages tasks\n  ansible.builtin.import_tasks: packages.yml\n  tags:\n    - always\n\n# Package managers are managed first since the changes in these tasks will\n# affect the remainder of the tasks in the role.\n- name: Including OS-specific tasks\n  ansible.builtin.include_tasks: \"{{ ansible_facts['pkg_mgr'] }}.yml\"\n\n# The bulk of the security changes are applied in these tasks. The tasks in\n# each file are tagged with the same name (for example, tasks in `auth.yml`\n# are tagged with `auth`). Also, the tag name matches up with the \"STIG\n# Controls by Tag\" section of the role documentation.\n- name: Importing accounts tasks\n  ansible.builtin.import_tasks: accounts.yml\n- name: Importing aide tasks\n  ansible.builtin.import_tasks: aide.yml\n  when: security_rhel7_enable_aide | bool\n- name: Importing auditd tasks\n  ansible.builtin.import_tasks: auditd.yml\n- name: Importing auth tasks\n  ansible.builtin.import_tasks: auth.yml\n- name: Importing file_perms tasks\n  ansible.builtin.import_tasks: file_perms.yml\n- name: Importing graphical tasks\n  ansible.builtin.import_tasks: graphical.yml\n- name: Importing kernel tasks\n  ansible.builtin.import_tasks: kernel.yml\n- name: Importing lsm tasks\n  ansible.builtin.import_tasks: lsm.yml\n- name: Importing misc tasks\n  ansible.builtin.import_tasks: misc.yml\n- name: Importing sshd tasks\n  ansible.builtin.import_tasks: sshd.yml\n\n- name: Remove the temporary directory\n  ansible.builtin.file:\n    path: \"{{ temp_dir }}\"\n    state: absent\n  changed_when: false\n  when:\n    - not check_mode | bool\n  tags:\n    - always\n","created":"2025-12-14T10:13:41.672501Z","updated":"2025-12-14T10:13:41.672513Z","path":"/home/zuul/src/opendev.org/openstack/ansible-hardening/tasks/rhel7stig/main.yml"}