Playbook #2
/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml
Execution
Date 14 Dec 2025 10:04:43 +0000
Duration 00:10:10.66
Controller aio1.openstack.local
User root
Versions
Ansible 2.18.6
ara 1.7.4 / 1.7.4
Python 3.13.5
Summary
15 Hosts
603 Tasks
2357 Results
18 Plays
157 Files
0 Records
check:False tags:all

Hosts 15
aio1
252 104 145
aio1-cinder-api-container-9cd182a1
109 54 39
aio1-galera-container-ee6a63f1
109 54 39
aio1-glance-container-45b22622
109 54 39
aio1-horizon-container-6bea000f
109 54 39
aio1-keystone-container-6e7ba614
109 54 39
aio1-memcached-container-d9c9a864
109 54 39
aio1-neutron-ovn-northd-container-7d70d4d9
109 54 39
aio1-neutron-server-container-987d5a37
112 55 39
aio1-nova-api-container-01d1027c
109 54 39
aio1-placement-container-f07ca565
109 54 39
aio1-rabbit-mq-container-fe40cd53
109 54 39
aio1-repo-container-3917d96e
109 54 39
aio1-utility-container-4cf31764
109 54 39
localhost
36 21 11
Files 157
Records

No saved records found.

Learn more about saving key/values with ara_record in the documentation.





Report Status
Date
Duration
Host Action Task Tags Notes
OK 14 Dec 2025 10:14:52 +0000 00:00:00.16 aio1 ansible.builtin.command ansible-hardening : Generate auditd rules 1
CHANGED 14 Dec 2025 10:14:52 +0000 00:00:00.31 aio1 ansible.builtin.service ansible-hardening : Restart ssh 1
SKIPPED 14 Dec 2025 10:14:51 +0000 00:00:00.01 aio1 ansible.builtin.include_tasks ansible-hardening : Including contrib tasks 1
OK 14 Dec 2025 10:14:51 +0000 00:00:00.14 aio1 ansible.builtin.file ansible-hardening : Remove the temporary directory 2
CHANGED 14 Dec 2025 10:14:51 +0000 00:00:00.21 aio1 ansible.builtin.replace ansible-hardening : Manage motd in pam.d 1
OK 14 Dec 2025 10:14:50 +0000 00:00:00.40 aio1 ansible.builtin.file ansible-hardening : Private host key files must have mode 0600 or less 4
OK 14 Dec 2025 10:14:50 +0000 00:00:00.14 aio1 ansible.builtin.shell ansible-hardening : Determine existing private ssh host keys 2
OK 14 Dec 2025 10:14:50 +0000 00:00:00.41 aio1 ansible.builtin.file ansible-hardening : Public host key files must have mode 0644 or less 4
OK 14 Dec 2025 10:14:49 +0000 00:00:00.15 aio1 ansible.builtin.shell ansible-hardening : Determine existing public ssh host keys 2
OK 14 Dec 2025 10:14:49 +0000 00:00:00.27 aio1 ansible.builtin.service ansible-hardening : Ensure sshd is enabled at boot time 4
CHANGED 14 Dec 2025 10:14:49 +0000 00:00:00.16 aio1 ansible.builtin.blockinfile ansible-hardening : Adjust ssh server configuration based on STIG requirements 21
CHANGED 14 Dec 2025 10:14:46 +0000 00:00:02.42 aio1 ansible.builtin.lineinfile ansible-hardening : Drop options from SSH config that we manage 21
CHANGED 14 Dec 2025 10:14:46 +0000 00:00:00.33 aio1 ansible.builtin.copy ansible-hardening : Copy login warning banner 5
SKIPPED 14 Dec 2025 10:14:45 +0000 00:00:00.01 aio1 ansible.builtin.debug ansible-hardening : V-72313 - Change SNMP community strings from default. 4
OK 14 Dec 2025 10:14:45 +0000 00:00:00.14 aio1 ansible.builtin.command ansible-hardening : Check to see if snmpd config contains public/private 2
SKIPPED 14 Dec 2025 10:14:45 +0000 00:00:00.01 aio1 ansible.builtin.debug ansible-hardening : V-72305 - TFTP must be configured to operate in secure mode 4
SKIPPED 14 Dec 2025 10:14:45 +0000 00:00:00.01 aio1 ansible.builtin.command ansible-hardening : Check TFTP configuration mode 2
OK 14 Dec 2025 10:14:44 +0000 00:00:00.14 aio1 ansible.builtin.stat ansible-hardening : Check for TFTP server configuration file 2
SKIPPED 14 Dec 2025 10:14:44 +0000 00:00:00.01 aio1 ansible.builtin.lineinfile ansible-hardening : V-72297 - Prevent unrestricted mail relaying 4
OK 14 Dec 2025 10:14:44 +0000 00:00:00.14 aio1 ansible.builtin.stat ansible-hardening : Check for postfix configuration file 2
SKIPPED 14 Dec 2025 10:14:44 +0000 00:00:00.01 aio1 ansible.builtin.debug ansible-hardening : V-72295 - Network interfaces must not be in promiscuous mode. 4
OK 14 Dec 2025 10:14:44 +0000 00:00:00.14 aio1 ansible.builtin.shell ansible-hardening : Check for interfaces in promiscuous mode 2
OK 14 Dec 2025 10:14:43 +0000 00:00:00.02 aio1 ansible.builtin.debug ansible-hardening : V-72281 - For systems using DNS resolution, at least two name servers must be configured. 4
OK 14 Dec 2025 10:14:43 +0000 00:00:00.14 aio1 command ansible-hardening : Count nameserver entries in /etc/resolv.conf 3
SKIPPED 14 Dec 2025 10:14:43 +0000 00:00:00.01 aio1 ansible.builtin.command ansible-hardening : Limit new TCP connections to 25/minute and allow bursting to 100 4
SKIPPED 14 Dec 2025 10:14:43 +0000 00:00:00.01 aio1 ansible.builtin.service ansible-hardening : Ensure firewalld is running and enabled 4
OK 14 Dec 2025 10:14:43 +0000 00:00:00.16 aio1 ansible.builtin.command ansible-hardening : Check firewalld status 2
SKIPPED 14 Dec 2025 10:14:42 +0000 00:00:00.01 aio1 ansible.builtin.template ansible-hardening : V-72269 - Synchronize system clock (configuration file) 4
OK 14 Dec 2025 10:14:42 +0000 00:00:00.16 aio1 ansible.builtin.stat ansible-hardening : Check if chrony configuration file exists 2
SKIPPED 14 Dec 2025 10:14:42 +0000 00:00:00.01 aio1 ansible.builtin.service ansible-hardening : Start and enable chrony 4
CHANGED 14 Dec 2025 10:14:42 +0000 00:00:00.14 aio1 ansible.builtin.blockinfile ansible-hardening : V-72223 - Set 10 minute timeout on communication sessions 4
SKIPPED 14 Dec 2025 10:14:41 +0000 00:00:00.01 aio1 ansible.builtin.service ansible-hardening : Ensure ClamAV is running 3
SKIPPED 14 Dec 2025 10:14:41 +0000 00:00:00.01 aio1 ansible.builtin.command ansible-hardening : Update ClamAV database 3
OK 14 Dec 2025 10:14:41 +0000 00:00:00.16 aio1 ansible.builtin.shell ansible-hardening : Check if ClamAV update process is already running 2
SKIPPED 14 Dec 2025 10:14:41 +0000 00:00:00.01 aio1 ansible.builtin.lineinfile ansible-hardening : Allow automatic freshclam updates 3
SKIPPED 14 Dec 2025 10:14:41 +0000 00:00:00.01 aio1 ansible.builtin.file ansible-hardening : Ensure ClamAV socket directory exists 3
SKIPPED 14 Dec 2025 10:14:41 +0000 00:00:00.01 aio1 ansible.builtin.lineinfile ansible-hardening : Set ClamAV server type as socket 3
SKIPPED 14 Dec 2025 10:14:40 +0000 00:00:00.01 aio1 ansible.builtin.lineinfile ansible-hardening : Remove 'Example' line from ClamAV configuration files 3
OK 14 Dec 2025 10:14:40 +0000 00:00:00.14 aio1 ansible.builtin.stat ansible-hardening : Check if ClamAV is installed 2
OK 14 Dec 2025 10:14:40 +0000 00:00:00.02 aio1 ansible.builtin.debug ansible-hardening : V-72209 - The system must send rsyslog output to a log aggregation server. 4
OK 14 Dec 2025 10:14:40 +0000 00:00:00.14 aio1 ansible.builtin.command ansible-hardening : Check if syslog output is being sent to another server 2
OK 14 Dec 2025 10:14:39 +0000 00:00:00.02 aio1 ansible.builtin.debug ansible-hardening : Check for /tmp on mounted filesystem 4
OK 14 Dec 2025 10:14:39 +0000 00:00:00.02 aio1 ansible.builtin.debug ansible-hardening : Check for /var/log/audit on mounted filesystem 4
OK 14 Dec 2025 10:14:39 +0000 00:00:00.02 aio1 ansible.builtin.debug ansible-hardening : Check for /var on mounted filesystem 4
OK 14 Dec 2025 10:14:39 +0000 00:00:00.02 aio1 ansible.builtin.debug ansible-hardening : Check for /home on mounted filesystem 4
CHANGED 14 Dec 2025 10:14:37 +0000 00:00:01.83 aio1 ansible.builtin.systemd ansible-hardening : V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled 4
OK 14 Dec 2025 10:14:37 +0000 00:00:00.27 aio1 ansible.builtin.systemd ansible-hardening : V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled 4
SKIPPED 14 Dec 2025 10:14:36 +0000 00:00:00.01 aio1 ansible.builtin.service ansible-hardening : V-71985 - File system automounter must be disabled unless required. 4
OK 14 Dec 2025 10:14:36 +0000 00:00:00.15 aio1 ansible.builtin.command ansible-hardening : Check autofs service 2
SKIPPED 14 Dec 2025 10:14:36 +0000 00:00:00.01 aio1 ansible.builtin.debug ansible-hardening : V-72039 - All system device files must be correctly labeled to prevent unauthorized modification. 4
SKIPPED 14 Dec 2025 10:14:36 +0000 00:00:00.01 aio1 ansible.builtin.command ansible-hardening : Check for unlabeled device files 4
SKIPPED 14 Dec 2025 10:14:36 +0000 00:00:00.01 aio1 ansible.builtin.file ansible-hardening : Relabel files on next boot if SELinux mode changed 4
SKIPPED 14 Dec 2025 10:14:35 +0000 00:00:00.01 aio1 ansible.posix.selinux ansible-hardening : Ensure SELinux is in enforcing mode on the next reboot 4
OK 14 Dec 2025 10:14:35 +0000 00:00:00.25 aio1 ansible.builtin.service ansible-hardening : Ensure AppArmor is running 3
OK 14 Dec 2025 10:14:35 +0000 00:00:00.28 aio1 ansible.builtin.service ansible-hardening : Ensure AppArmor is enabled at boot time 3
OK 14 Dec 2025 10:14:34 +0000 00:00:00.16 aio1 ansible.builtin.command ansible-hardening : Check if apparmor is running 3
OK 14 Dec 2025 10:14:34 +0000 00:00:00.16 aio1 ansible.builtin.command ansible-hardening : Check apparmor_status output 3
CHANGED 14 Dec 2025 10:14:34 +0000 00:00:00.33 aio1 ansible.builtin.copy ansible-hardening : V-77821 - Datagram Congestion Control Protocol (DCCP) kernel module must be disabled 4
SKIPPED 14 Dec 2025 10:14:33 +0000 00:00:00.01 aio1 ansible.builtin.debug ansible-hardening : Print a warning if FIPS isn't enabled 4
SKIPPED 14 Dec 2025 10:14:33 +0000 00:00:00.01 aio1 ansible.builtin.command ansible-hardening : Check if FIPS is enabled 2
SKIPPED 14 Dec 2025 10:14:33 +0000 00:00:00.01 aio1 ansible.builtin.service ansible-hardening : V-72057 - Kernel core dumps must be disabled unless needed. 4
OK 14 Dec 2025 10:14:33 +0000 00:00:00.15 aio1 ansible.builtin.command ansible-hardening : Check kdump service 4
CHANGED 14 Dec 2025 10:14:30 +0000 00:00:02.15 aio1 ansible.posix.sysctl ansible-hardening : Set sysctl configurations 13
CHANGED 14 Dec 2025 10:14:30 +0000 00:00:00.14 aio1 ansible.builtin.lineinfile ansible-hardening : V-71983 - USB mass storage must be disabled. 4
SKIPPED 14 Dec 2025 10:14:30 +0000 00:00:00.01 aio1 ansible.builtin.template ansible-hardening : Create a GDM keyfile for machine-wide settings 4
SKIPPED 14 Dec 2025 10:14:30 +0000 00:00:00.01 aio1 ansible.builtin.copy ansible-hardening : Create a GDM profile for displaying a login banner 4
SKIPPED 14 Dec 2025 10:14:30 +0000 00:00:00.01 aio1 ansible.builtin.template ansible-hardening : Prevent users from changing graphical session locking configurations 6
SKIPPED 14 Dec 2025 10:14:29 +0000 00:00:00.01 aio1 ansible.builtin.template ansible-hardening : Configure graphical session locking 6
SKIPPED 14 Dec 2025 10:14:29 +0000 00:00:00.02 aio1 ansible.builtin.file ansible-hardening : Create dconf directories 7
SKIPPED 14 Dec 2025 10:14:29 +0000 00:00:00.01 aio1 ansible.builtin.copy ansible-hardening : Create a user profile in dconf 6
OK 14 Dec 2025 10:14:29 +0000 00:00:00.15 aio1 ansible.builtin.stat ansible-hardening : Check for dconf profiles 2
SKIPPED 14 Dec 2025 10:14:29 +0000 00:00:00.01 aio1 ansible.builtin.lineinfile ansible-hardening : V-71955 - The operating system must not allow guest logon to the system. 4
SKIPPED 14 Dec 2025 10:14:28 +0000 00:00:00.01 aio1 ansible.builtin.lineinfile ansible-hardening : V-71953 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface 4
OK 14 Dec 2025 10:14:28 +0000 00:00:00.14 aio1 ansible.builtin.stat ansible-hardening : Check if gdm is installed and configured 1
SKIPPED 14 Dec 2025 10:14:28 +0000 00:00:00.02 aio1 ansible.builtin.file ansible-hardening : Set owner/group owner on /etc/cron.allow 5
OK 14 Dec 2025 10:14:28 +0000 00:00:00.14 aio1 ansible.builtin.stat ansible-hardening : Check if /etc/cron.allow exists 2
SKIPPED 14 Dec 2025 10:14:28 +0000 00:00:00.02 aio1 ansible.builtin.debug ansible-hardening : V-72047 - All world-writable directories must be group-owned by root, sys, bin, or an application group. 4
SKIPPED 14 Dec 2025 10:14:27 +0000 00:00:00.01 aio1 ansible.builtin.shell ansible-hardening : Find all world-writable directories 2
SKIPPED 14 Dec 2025 10:14:27 +0000 00:00:00.02 aio1 ansible.builtin.file ansible-hardening : Set proper owner, group owner, and permissions on home directories 6
SKIPPED 14 Dec 2025 10:14:27 +0000 00:00:00.02 aio1 ansible.builtin.debug ansible-hardening : V-72009 - All files and directories must have a valid group owner. 4
SKIPPED 14 Dec 2025 10:14:27 +0000 00:00:00.01 aio1 ansible.builtin.command ansible-hardening : Search for files/directories with an invalid group owner 2
SKIPPED 14 Dec 2025 10:14:27 +0000 00:00:00.01 aio1 ansible.builtin.debug ansible-hardening : V-72007 - All files and directories must have a valid owner. 4
SKIPPED 14 Dec 2025 10:14:27 +0000 00:00:00.01 aio1 ansible.builtin.command ansible-hardening : Search for files/directories with an invalid owner 2
SKIPPED 14 Dec 2025 10:14:26 +0000 00:00:00.01 aio1 shell ansible-hardening : V-71849 - Reset file permissions/ownership to vendor values 5
SKIPPED 14 Dec 2025 10:14:26 +0000 00:00:00.01 aio1 ansible.builtin.shell ansible-hardening : V-71849 - Get packages with incorrect file permissions or ownership 4
SKIPPED 14 Dec 2025 10:14:26 +0000 00:00:00.01 aio1 ansible.builtin.file ansible-hardening : Remove .shosts or shosts.equiv files 5
SKIPPED 14 Dec 2025 10:14:26 +0000 00:00:00.01 aio1 ansible.builtin.async_status ansible-hardening : Ensure .shosts find has finished 5
OK 14 Dec 2025 10:14:26 +0000 00:00:00.02 aio1 ansible.builtin.debug ansible-hardening : V-72275 - Display date/time of last logon after logon 4
OK 14 Dec 2025 10:14:25 +0000 00:00:00.15 aio1 ansible.builtin.command ansible-hardening : Check for pam_lastlog in PAM configuration 2
SKIPPED 14 Dec 2025 10:14:25 +0000 00:00:00.01 aio1 ansible.builtin.blockinfile ansible-hardening : V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types 4
SKIPPED 14 Dec 2025 10:14:25 +0000 00:00:00.01 aio1 ansible.builtin.lineinfile ansible-hardening : Set CLASS for grub file 5
SKIPPED 14 Dec 2025 10:14:25 +0000 00:00:00.01 aio1 ansible.builtin.blockinfile ansible-hardening : Define password options for grub 5
OK 14 Dec 2025 10:14:24 +0000 00:00:00.16 aio1 ansible.builtin.stat ansible-hardening : Check if GRUB2 custom file exists 2
OK 14 Dec 2025 10:14:24 +0000 00:00:00.14 aio1 ansible.builtin.stat ansible-hardening : Check if sssd.conf exists 2
SKIPPED 14 Dec 2025 10:14:24 +0000 00:00:00.01 aio1 debug ansible-hardening : V-71949 - Users must re-authenticate for privilege escalation 5
OK 14 Dec 2025 10:14:24 +0000 00:00:00.14 aio1 ansible.builtin.shell ansible-hardening : Check for '!authenticate' in sudoers files 4
OK 14 Dec 2025 10:14:24 +0000 00:00:00.02 aio1 debug ansible-hardening : V-71947 - Users must provide a password for privilege escalation 5
OK 14 Dec 2025 10:14:23 +0000 00:00:00.15 aio1 ansible.builtin.shell ansible-hardening : Check for 'nopasswd' in sudoers files 4
SKIPPED 14 Dec 2025 10:14:23 +0000 00:00:00.01 aio1 ansible.builtin.blockinfile ansible-hardening : Lock accounts after three failed login attempts a 15 minute period 5
SKIPPED 14 Dec 2025 10:14:23 +0000 00:00:00.02 aio1 ansible.builtin.lineinfile ansible-hardening : Prevent users with blank or null passwords from authenticating (Red Hat) 4