{"id":174,"sha1":"178f2bdb143bdeddde61852a194447477cd76af3","playbook":{"id":2,"items":{"plays":18,"tasks":603,"results":2357,"hosts":15,"files":157,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":4,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-hosts.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-14T10:04:43.190296Z","ended":"2025-12-14T10:14:53.851603Z","duration":"00:10:10.661307","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.13.5","server_version":"1.7.4","status":"completed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2016, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n- name: Check autofs service\n  ansible.builtin.command: systemctl status autofs # noqa: command-instead-of-module\n  register: autofs_check\n  failed_when: autofs_check.rc not in [0,3,4]\n  changed_when: false\n  check_mode: false\n  tags:\n    - always\n\n- name: V-71985 - File system automounter must be disabled unless required.\n  ansible.builtin.service:\n    name: autofs\n    state: stopped\n    enabled: false\n  when:\n    - autofs_check.rc not in [3,4]\n    - security_rhel7_disable_autofs | bool\n  tags:\n    - medium\n    - misc\n    - V-71985\n\n# NOTE(noonedeadpunk): We run this twice because of the ansible bug:\n#                      https://github.com/ansible/ansible/issues/68680\n# This returns an exit code of 0 if it's running, 3 if it's masked.\n- name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled\n  ansible.builtin.systemd:\n    name: ctrl-alt-del.target\n    enabled: false\n  when:\n    - security_rhel7_disable_ctrl_alt_delete | bool\n  tags:\n    - high\n    - misc\n    - V-71993\n\n- name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled\n  ansible.builtin.systemd:\n    name: ctrl-alt-del.target\n    masked: true\n    daemon_reload: true\n  when:\n    - security_rhel7_disable_ctrl_alt_delete | bool\n  tags:\n    - high\n    - misc\n    - V-71993\n\n- name: Check for /home on mounted filesystem\n  ansible.builtin.debug:\n    msg: |\n      The STIG requires that /home is on its own filesystem, but this system\n      does not appear to be following the requirement.\n  when:\n    - ansible_facts['mounts'] | selectattr('mount', 'equalto', '/home') | list | length == 0\n  tags:\n    - low\n    - misc\n    - V-72059\n\n- name: Check for /var on mounted filesystem\n  ansible.builtin.debug:\n    msg: |\n      The STIG requires that /var is on its own filesystem, but this system\n      does not appear to be following the requirement.\n  when:\n    - ansible_facts['mounts'] | selectattr('mount', 'equalto', '/var') | list | length == 0\n  tags:\n    - low\n    - misc\n    - V-72067\n\n- name: Check for /var/log/audit on mounted filesystem\n  ansible.builtin.debug:\n    msg: |\n      The STIG requires that /var/log/audit is on its own filesystem, but this system\n      does not appear to be following the requirement.\n  when:\n    - ansible_facts['mounts'] | selectattr('mount', 'equalto', '/var/log/audit') | list | length == 0\n  tags:\n    - low\n    - misc\n    - V-72063\n\n- name: Check for /tmp on mounted filesystem\n  ansible.builtin.debug:\n    msg: |\n      The STIG requires that /tmp is on its own filesystem, but this system\n      does not appear to be following the requirement.\n  when:\n    - ansible_facts['mounts'] | selectattr('mount', 'equalto', '/tmp') | list | length == 0\n  tags:\n    - low\n    - misc\n    - V-72065\n\n- name: Check if syslog output is being sent to another server\n  ansible.builtin.command: 'grep \"^[^#].*@\" /etc/rsyslog.conf'\n  register: rsyslog_transmit_check\n  changed_when: false\n  failed_when: false\n  check_mode: false\n  tags:\n    - always\n\n- name: V-72209 - The system must send rsyslog output to a log aggregation server.\n  ansible.builtin.debug:\n    msg: Output from syslog must be sent to another server.\n  when:\n    - rsyslog_transmit_check is defined\n    - rsyslog_transmit_check.rc != 0\n  tags:\n    - medium\n    - misc\n    - V-72209\n\n- name: Check if ClamAV is installed\n  ansible.builtin.stat:\n    path: /usr/bin/clamdscan\n  register: clamav_install_check\n  changed_when: false\n  tags:\n    - always\n\n- name: Remove 'Example' line from ClamAV configuration files\n  ansible.builtin.lineinfile:\n    dest: \"{{ item }}\"\n    regexp: \"^Example\"\n    state: absent\n  with_items:\n    - /etc/freshclam.conf\n    - /etc/clamd.d/scan.conf\n  when:\n    - clamav_install_check.stat.exists\n    - security_enable_virus_scanner | bool\n    - ansible_facts['os_family'] | lower == 'redhat'\n  notify:\n    - Restart clamav\n  tags:\n    - misc\n    - V-72213\n\n- name: Set ClamAV server type as socket\n  ansible.builtin.lineinfile:\n    dest: /etc/clamd.d/scan.conf\n    regexp: \"^(#)?LocalSocket (.*)$\"\n    line: \"LocalSocket {{ clamav_service_details['socket_path'] }}\"\n    backrefs: true\n  when:\n    - clamav_install_check.stat.exists\n    - security_enable_virus_scanner | bool\n    - ansible_facts['os_family'] | lower == 'redhat'\n  notify:\n    - Restart clamav\n  tags:\n    - misc\n    - V-72213\n\n- name: Ensure ClamAV socket directory exists\n  ansible.builtin.file:\n    path: \"{{ clamav_service_details['socket_path'] | dirname }}\"\n    owner: \"{{ clamav_service_details['user'] }}\"\n    group: \"{{ clamav_service_details['group'] }}\"\n    mode: \"{{ clamav_service_details['mode'] }}\"\n  when:\n    - clamav_install_check.stat.exists\n    - security_enable_virus_scanner | bool\n    - ansible_facts['os_family'] | lower == 'redhat'\n  notify:\n    - Restart clamav\n  tags:\n    - misc\n    - V-72213\n\n- name: Allow automatic freshclam updates\n  ansible.builtin.lineinfile:\n    dest: /etc/sysconfig/freshclam\n    regexp: \"^FRESHCLAM_DELAY\"\n    state: absent\n  when:\n    - clamav_install_check.stat.exists\n    - security_enable_virus_scanner | bool\n    - ansible_facts['os_family'] | lower == 'redhat'\n  notify:\n    - Restart clamav\n  tags:\n    - misc\n    - V-72213\n\n- name: Check if ClamAV update process is already running\n  ansible.builtin.shell: \"set -o pipefail; ps -ef | grep -E [f]reshclam -q\"\n  register: freshclam_proc\n  changed_when: false\n  failed_when: false\n  check_mode: false\n  tags:\n    - always\n\n- name: Update ClamAV database\n  ansible.builtin.command: freshclam\n  changed_when: false\n  when:\n    - freshclam_proc.rc != 0\n    - clamav_install_check.stat.exists\n    - security_enable_virus_scanner | bool\n    - security_run_virus_scanner_update | bool\n  async: 300\n  poll: 5\n  tags:\n    - misc\n    - V-72213\n\n- name: Ensure ClamAV is running\n  ansible.builtin.service:\n    name: \"{{ clamav_service }}\"\n    state: started\n    enabled: true\n  when:\n    - clamav_install_check.stat.exists\n    - security_enable_virus_scanner | bool\n  tags:\n    - misc\n    - V-72213\n\n- name: V-72223 - Set 10 minute timeout on communication sessions\n  ansible.builtin.blockinfile:\n    dest: /etc/profile\n    state: present\n    insertbefore: EOF\n    marker: \"# {mark} MANAGED BY ANSIBLE-HARDENING\"\n    block: |\n      # Set a {{ security_rhel7_session_timeout }} second timeout for sessions\n      TMOUT={{ security_rhel7_session_timeout }}\n      readonly TMOUT\n      export TMOUT\n  tags:\n    - medium\n    - misc\n    - V-72223\n\n- name: Start and enable chrony\n  ansible.builtin.service:\n    name: \"{{ chrony_service }}\"\n    state: started\n    enabled: true\n  when:\n    - not check_mode\n    - security_rhel7_enable_chrony | bool\n  tags:\n    - medium\n    - misc\n    - V-72269\n\n- name: Check if chrony configuration file exists\n  ansible.builtin.stat:\n    path: \"{{ chrony_conf_file }}\"\n  register: chrony_conf_check\n  tags:\n    - always\n\n- name: V-72269 - Synchronize system clock (configuration file)\n  ansible.builtin.template:\n    src: chrony.conf.j2\n    dest: \"{{ chrony_conf_file }}\"\n    mode: \"0644\"\n  when:\n    - chrony_conf_check.stat.exists | bool\n    - security_rhel7_enable_chrony | bool\n  notify:\n    - Restart chrony\n  tags:\n    - medium\n    - misc\n    - V-72269\n\n# Returns 0 if installed, 3 if not installed\n- name: Check firewalld status\n  ansible.builtin.command: systemctl status firewalld\n  register: firewalld_status_check\n  failed_when: firewalld_status_check.rc not in [0,3,4]\n  changed_when: false\n  check_mode: false\n  tags:\n    - always\n\n- name: Ensure firewalld is running and enabled\n  ansible.builtin.service:\n    name: firewalld\n    state: started\n    enabled: true\n  when:\n    - firewalld_status_check.rc not in [3,4]\n    - security_enable_firewalld | bool\n  tags:\n    - medium\n    - misc\n    - V-72273\n\n- name: Limit new TCP connections to 25/minute and allow bursting to 100\n  ansible.builtin.command: >-\n    firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{\n      security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT\n  register: add_rate_limit_firewalld_rule\n  changed_when: \"'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout\"\n  when:\n    - firewalld_status_check.rc != 3\n    - security_enable_firewalld_rate_limit | bool\n  tags:\n    - medium\n    - misc\n    - V-72271\n\n# Linting checks need to be skipped because this command doesn't create any\n# files.\n- name: Count nameserver entries in /etc/resolv.conf\n  command: grep ^nameserver /etc/resolv.conf\n  register: nameserver_check\n  check_mode: false\n  changed_when: false\n  failed_when: false\n  tags:\n    - always\n    - skip_ansible_lint\n\n- name: V-72281 - For systems using DNS resolution, at least two name servers must be configured.\n  ansible.builtin.debug:\n    msg: |\n      Two or more nameservers must be configured in /etc/resolv.conf.\n      Nameservers found: {{ nameserver_check.stdout_lines | length }}\n  when:\n    - nameserver_check is defined\n    - nameserver_check.stdout_lines | length < 2\n  tags:\n    - low\n    - misc\n    - V-72281\n\n- name: Check for interfaces in promiscuous mode\n  ansible.builtin.shell: \"set -o pipefail; ip link | grep -i promisc\"\n  register: promiscuous_interface_check\n  changed_when: false\n  failed_when: false\n  check_mode: false\n  tags:\n    - always\n\n- name: V-72295 - Network interfaces must not be in promiscuous mode.\n  ansible.builtin.debug:\n    msg: >\n      One or more network interfaces were found to be in promiscuous mode.\n      Review all interfaces and disable promiscuous mode.\n  when:\n    - promiscuous_interface_check.rc == 0\n  tags:\n    - medium\n    - misc\n    - V-72295\n\n- name: Check for postfix configuration file\n  ansible.builtin.stat:\n    path: /etc/postfix/main.cf\n  register: postfix_conf_check\n  tags:\n    - always\n\n- name: V-72297 - Prevent unrestricted mail relaying\n  ansible.builtin.lineinfile:\n    dest: /etc/postfix/main.cf\n    regexp: \"^smtpd_client_restrictions\"\n    line: \"smtpd_client_restrictions = permit_mynetworks, reject\"\n  when:\n    - postfix_conf_check.stat.exists\n    - security_rhel7_restrict_mail_relaying | bool\n  tags:\n    - medium\n    - misc\n    - V-72297\n\n- name: Check for TFTP server configuration file\n  ansible.builtin.stat:\n    path: /etc/xinetd.d/tftp\n  register: tftp_config_check\n  check_mode: false\n  tags:\n    - always\n\n- name: Check TFTP configuration mode\n  ansible.builtin.command: \"grep server_args /etc/xinetd.d/tftp\"\n  register: tftp_secure_check\n  changed_when: false\n  failed_when: false\n  check_mode: false\n  when:\n    - tftp_config_check.stat.exists\n  tags:\n    - always\n\n- name: V-72305 - TFTP must be configured to operate in secure mode\n  ansible.builtin.debug:\n    msg: TFTP must be configured to run in secure mode with the '-s' flag.\n  when:\n    - tftp_config_check.stat.exists\n    - \"'-s' not in tftp_secure_check.stdout\"\n  tags:\n    - medium\n    - misc\n    - V-72305\n\n- name: Check to see if snmpd config contains public/private\n  ansible.builtin.command: 'grep -E \"^[^#].*(public|private)\" /etc/snmp/snmpd.conf'\n  register: snmp_public_private_check\n  changed_when: false\n  failed_when: false\n  check_mode: false\n  tags:\n    - always\n\n- name: V-72313 - Change SNMP community strings from default.\n  ansible.builtin.debug:\n    msg: >\n      Change the SNMP community strings from the defaults of 'public' and\n      'private' to meet the requirements of V-72313.\n  when:\n    - snmp_public_private_check.rc == 0\n  tags:\n    - high\n    - misc\n    - V-72313\n","created":"2025-12-14T10:14:36.468813Z","updated":"2025-12-14T10:14:36.468826Z","path":"/home/zuul/src/opendev.org/openstack/ansible-hardening/tasks/rhel7stig/misc.yml"}