{"id":175,"sha1":"4f38ad212e147f672e8eecdff78f138ff25bac64","playbook":{"id":2,"items":{"plays":18,"tasks":603,"results":2357,"hosts":15,"files":157,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":4,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-hosts.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-14T10:04:43.190296Z","ended":"2025-12-14T10:14:53.851603Z","duration":"00:10:10.661307","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.13.5","server_version":"1.7.4","status":"completed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2016, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n- name: Copy login warning banner\n  ansible.builtin.copy:\n    content: \"{{ security_login_banner_text }}\"\n    dest: \"{{ security_sshd_banner_file }}\"\n    owner: root\n    group: root\n    mode: \"0644\"\n  tags:\n    - high\n    - sshd\n    - V-71861\n    - V-72225\n\n- name: Drop options from SSH config that we manage\n  ansible.builtin.lineinfile:\n    path: /etc/ssh/sshd_config\n    state: absent\n    regexp: \"^{{ item.name }}\\\\s+(?!{{ item.value }})\"\n    validate: \"/usr/sbin/sshd -T -f %s\"\n  with_items: \"{{ sshd_settings_rhel7 | selectattr('enabled') }}\"\n  notify:\n    - Restart ssh\n  tags:\n    - high\n    - sshd\n    - V-71939\n    - V-71957\n    - V-71959\n    - V-72221\n    - V-72225\n    - V-72237\n    - V-72241\n    - V-72245\n    - V-72247\n    - V-72249\n    - V-72243\n    - V-72243\n    - V-72303\n    - V-72251\n    - V-72253\n    - V-72265\n    - V-72267\n    - V-72261\n    - V-72263\n\n- name: Adjust ssh server configuration based on STIG requirements\n  ansible.builtin.blockinfile:\n    dest: /etc/ssh/sshd_config\n    state: present\n    marker: \"# {mark} MANAGED BY ANSIBLE-HARDENING\"\n    insertbefore: \"BOF\"\n    validate: \"/usr/sbin/sshd -T -f %s\"\n    block: |-\n      {% set options = sshd_settings_rhel7 | selectattr('enabled') %}\n      {% for option in options %}\n      # {{ option['stig_id'] }}\n      {{ option['name'] ~ ' ' ~ option['value'] }}\n      {% endfor %}\n  notify:\n    - Restart ssh\n  tags:\n    - high\n    - sshd\n    - V-71939\n    - V-71957\n    - V-71959\n    - V-72221\n    - V-72225\n    - V-72237\n    - V-72241\n    - V-72245\n    - V-72247\n    - V-72249\n    - V-72243\n    - V-72243\n    - V-72303\n    - V-72251\n    - V-72253\n    - V-72265\n    - V-72267\n    - V-72261\n    - V-72263\n\n- name: Ensure sshd is enabled at boot time\n  ansible.builtin.service:\n    name: \"{{ ssh_service }}\"\n    enabled: true\n  when:\n    - security_enable_sshd | bool\n  tags:\n    - medium\n    - sshd\n    - V-72235\n\n- name: Determine existing public ssh host keys\n  ansible.builtin.shell: ls /etc/ssh/*.pub\n  register: public_ssh_host_keys\n  # The shell command will always report 'changed' so we need to\n  # ignore that since this role is supposed to be idempotent.\n  changed_when: false\n  check_mode: false\n  tags:\n    - always\n\n- name: Public host key files must have mode 0644 or less\n  ansible.builtin.file:\n    path: \"{{ item }}\"\n    mode: \"u-xX,g-wxs,o-wxt\"\n  with_items:\n    - \"{{ public_ssh_host_keys.stdout_lines | default([]) }}\"\n  tags:\n    - medium\n    - sshd\n    - V-72255\n\n- name: Determine existing private ssh host keys\n  ansible.builtin.shell: ls /etc/ssh/*_key\n  register: private_ssh_host_keys\n  # The shell command will always report 'changed' so we need to\n  # ignore that since this role is supposed to be idempotent\n  changed_when: false\n  check_mode: false\n  tags:\n    - always\n\n- name: Private host key files must have mode 0600 or less\n  ansible.builtin.file:\n    path: \"{{ item }}\"\n    mode: \"u-xX,g-rwxs,o-rwxt\"\n  with_items:\n    - \"{{ private_ssh_host_keys.stdout_lines | default([]) }}\"\n  tags:\n    - medium\n    - sshd\n    - V-72257\n\n- name: Manage motd in pam.d\n  ansible.builtin.replace:\n    path: /etc/pam.d/sshd\n    regexp: \"^(#\\\\s)?(session\\\\s*optional\\\\s*pam_motd.so.*)$\"\n    replace: '{{ (security_sshd_dynamic_banner_disable | bool) | ternary(\"# \\2\", \"\\2\") }}'\n  when: security_sshd_dynamic_banner_disable | bool\n","created":"2025-12-14T10:14:45.996855Z","updated":"2025-12-14T10:14:45.996867Z","path":"/home/zuul/src/opendev.org/openstack/ansible-hardening/tasks/rhel7stig/sshd.yml"}