{"id":170,"sha1":"450dc55a711941383bc88cf0002576aba3f229cf","playbook":{"id":2,"items":{"plays":18,"tasks":608,"results":2412,"hosts":15,"files":158,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":4,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-hosts.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-08T13:40:18.992997Z","ended":"2025-12-08T13:50:25.791366Z","duration":"00:10:06.798369","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.12.11","server_version":"1.7.4","status":"completed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2016, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n- name: Verify that auditd.conf exists\n  ansible.builtin.stat:\n    path: /etc/audit/auditd.conf\n  register: auditd_conf\n  check_mode: false\n  tags:\n    - always\n\n- name: Verify that audisp-remote.conf exists\n  ansible.builtin.stat:\n    path: /etc/audisp/audisp-remote.conf\n  register: audisp_remote_conf\n  check_mode: false\n  tags:\n    - always\n\n- name: V-72083 - The operating system must off-load audit records onto a different system or media from the system being audited\n  ansible.builtin.lineinfile:\n    dest: /etc/audisp/audisp-remote.conf\n    regexp: \"^(#)?remote_server\"\n    line: \"remote_server = {{ security_audisp_remote_server }}\"\n  when:\n    - security_audisp_remote_server is defined\n    - audisp_remote_conf.stat.exists\n  notify:\n    - Restart auditd\n  tags:\n    - medium\n    - auditd\n    - V-72083\n\n- name: V-72085 - The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited\n  ansible.builtin.lineinfile:\n    dest: /etc/audisp/audisp-remote.conf\n    regexp: \"^(#)?enable_krb5\"\n    line: \"enable_krb5 = yes\"\n  when:\n    - security_audisp_enable_krb5 is defined\n    - audisp_remote_conf.stat.exists\n  notify:\n    - Restart auditd\n  tags:\n    - medium\n    - auditd\n    - V-72085\n\n- name: Get valid system architectures for audit rules\n  ansible.builtin.set_fact:\n    auditd_architectures: \"{{ (ansible_facts['architecture'] == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}\"\n  check_mode: false\n  tags:\n    - always\n\n- name: Remove system default audit.rules file\n  ansible.builtin.file:\n    path: /etc/audit/rules.d/audit.rules\n    state: absent\n  when:\n    - auditd_conf.stat.exists\n  notify:\n    - Generate auditd rules\n  tags:\n    - always\n\n- name: Deploy rules for auditd based on STIG requirements\n  ansible.builtin.template:\n    src: osas-auditd-rhel7.j2\n    dest: /etc/audit/rules.d/osas-auditd-rhel7.rules\n    mode: \"0644\"\n  when:\n    - auditd_conf.stat.exists\n  notify:\n    - Generate auditd rules\n  tags:\n    - auditd\n    - V-72167\n    - V-72155\n    - V-72139\n    - V-72105\n    - V-72097\n    - V-72123\n    - V-72183\n    - V-72189\n    - V-72107\n    - V-72109\n    - V-72099\n    - V-72103\n    - V-72119\n    - V-72113\n    - V-72133\n    - V-72187\n    - V-72153\n    - V-72101\n    - V-72121\n    - V-72115\n    - V-72171\n    - V-72165\n    - V-72125\n    - V-72127\n    - V-72129\n    - V-72185\n    - V-72149\n    - V-72175\n    - V-72177\n    - V-72117\n    - V-72199\n    - V-72201\n    - V-72141\n    - V-72203\n    - V-72135\n    - V-72137\n    - V-72111\n    - V-72179\n    - V-72159\n    - V-72161\n    - V-72169\n    - V-72131\n    - V-72173\n    - V-72151\n    - V-72205\n    - V-72207\n    - V-72157\n    - V-72143\n    - V-72163\n    - V-72191\n    - V-72193\n    - V-72195\n    - V-72197\n    - V-72081\n\n- name: Adjust auditd/audispd configurations\n  ansible.builtin.lineinfile:\n    dest: \"{{ item.config }}\"\n    regexp: \"^#?{{ item.parameter }}\\\\s*=\"\n    line: \"{{ item.parameter }} = {{ item.value }}\"\n  with_items: \"{{ auditd_config }}\"\n  when:\n    - auditd_conf.stat.exists\n    - audisp_remote_conf.stat.exists\n  notify:\n    - Restart auditd\n  tags:\n    - high\n    - auditd\n    - V-72087\n    - V-72089\n    - V-72091\n    - V-72093\n\n- name: Ensure auditd is running and enabled at boot time\n  ansible.builtin.service:\n    name: auditd\n    state: started\n    enabled: true\n  when:\n    - auditd_conf.stat.exists\n  tags:\n    - high\n    - auditd\n    - V-72079\n","created":"2025-12-08T13:49:52.563850Z","updated":"2025-12-08T13:49:52.563867Z","path":"/home/zuul/src/opendev.org/openstack/ansible-hardening/tasks/rhel7stig/auditd.yml"}