{"id":174,"sha1":"6e8f05d314f2f4d3873fd7c9ef3bc7934bd49c86","playbook":{"id":2,"items":{"plays":18,"tasks":608,"results":2412,"hosts":15,"files":158,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":4,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-hosts.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-08T13:40:18.992997Z","ended":"2025-12-08T13:50:25.791366Z","duration":"00:10:06.798369","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.12.11","server_version":"1.7.4","status":"completed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2016, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n- name: V-71983 - USB mass storage must be disabled.\n  ansible.builtin.lineinfile:\n    dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf\n    line: install usb-storage /bin/true\n    create: true\n    mode: \"0644\"\n  when:\n    - security_rhel7_disable_usb_storage | bool\n  tags:\n    - kernel\n    - medium\n    - V-71983\n\n- name: Set sysctl configurations\n  ansible.posix.sysctl:\n    name: \"{{ item.name }}\"\n    value: \"{{ item.value }}\"\n    state: \"{{ item.enabled | ternary('present', 'absent') }}\"\n    sysctl_file: \"{{ security_sysctl_file }}\"\n    reload: true\n  when:\n    - item.enabled | bool\n  with_items: \"{{ sysctl_settings_rhel7 }}\"\n  tags:\n    - medium\n    - kernel\n    - V-72283\n    - V-72285\n    - V-72287\n    - V-72289\n    - V-73175\n    - V-72291\n    - V-72293\n    - V-72309\n    - V-72319\n    - C-00001\n\n- name: Check kdump service\n  ansible.builtin.command: systemctl status kdump\n  register: kdump_service_check\n  failed_when: kdump_service_check.rc not in [0,3,4]\n  changed_when: false\n  check_mode: false\n  tags:\n    - kernel\n    - medium\n    - V-72057\n\n- name: V-72057 - Kernel core dumps must be disabled unless needed.\n  ansible.builtin.service:\n    name: kdump\n    state: stopped\n    enabled: false\n  when:\n    - kdump_service_check.rc not in [3,4]\n    - security_disable_kdump\n  tags:\n    - kernel\n    - medium\n    - V-72057\n\n- name: Check if FIPS is enabled\n  ansible.builtin.command: cat /proc/sys/crypto/fips_enabled\n  register: fips_check\n  changed_when: false\n  failed_when: false\n  check_mode: false\n  when:\n    - ansible_facts['pkg_mgr'] == 'dnf'\n  tags:\n    - always\n\n- name: Print a warning if FIPS isn't enabled\n  ansible.builtin.debug:\n    msg: >\n      FIPS is not enabled at boot time on this server.\n      The STIG requires FIPS to be enabled at boot time.\n  when:\n    - ansible_facts['pkg_mgr'] == 'dnf'\n    - fips_check is defined\n    - fips_check.stdout != '1'\n  tags:\n    - high\n    - misc\n    - V-72067\n\n- name: V-77821 - Datagram Congestion Control Protocol (DCCP) kernel module must be disabled\n  ansible.builtin.copy:\n    src: ansible-hardening-disable-dccp.conf\n    dest: /etc/modprobe.d/ansible-hardening-disable-dccp.conf\n    mode: \"0644\"\n  when:\n    - security_rhel7_disable_dccp | bool\n  tags:\n    - kernel\n    - medium\n    - V-77821\n","created":"2025-12-08T13:50:03.156453Z","updated":"2025-12-08T13:50:03.156464Z","path":"/home/zuul/src/opendev.org/openstack/ansible-hardening/tasks/rhel7stig/kernel.yml"}