{"id":180,"sha1":"50f82a86e91fa0c9f38d172b4bdf176ee154c44c","playbook":{"id":2,"items":{"plays":18,"tasks":608,"results":2412,"hosts":15,"files":158,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":4,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-hosts.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-08T13:40:18.992997Z","ended":"2025-12-08T13:50:25.791366Z","duration":"00:10:06.798369","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.12.11","server_version":"1.7.4","status":"completed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2015, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n## STIG version selection\n# The RHEL 7 STIG content first appeared in the Ocata release and is compatible\n# with the following operating systems:\n#\n#  * CentOS 8\n#  * Debian Buster\n#  * Fedora 27\n#  * Ubuntu Bionic\n#  * Ubuntu Focal\n#\n# Valid options: rhel7\nstig_version: rhel7\n\n## APT Cache Options\n# This variable is used across multiple OpenStack-Ansible roles to handle the\n# apt cache updates as efficiently as possible.\ncache_timeout: 600\n\n# Set the package install state for distribution packages\n# Options are 'present' and 'latest'\nsecurity_package_state: present\n\n## EPEL\n# Set the following variable to `no` to prevent the EPEL repository from being\n# installed by the role. This may prevent certain packages from installing,\n# such as ClamAV.\nsecurity_epel_install_repository: true\n#\n# Some deployers install a customized EPEL package that redirects servers to\n# their internal EPEL mirrors. Provide the name of the EPEL repository package\n# (epel-release by default on CentOS) or a URL to an EPEL release RPM file.\nsecurity_epel_release_package: epel-release\n\n###############################################################################\n#  ____  _   _ _____ _       _____   ____ _____ ___ ____\n# |  _ \\| | | | ____| |     |___  | / ___|_   _|_ _/ ___|\n# | |_) | |_| |  _| | |        / /  \\___ \\ | |  | | |  _\n# |  _ <|  _  | |___| |___    / /    ___) || |  | | |_| |\n# |_| \\_\\_| |_|_____|_____|  /_/    |____/ |_| |___\\____|\n#\n# The following options are specific to the RHEL 7 STIG. For details on each\n# option, refer to the ansible-hardening documentation:\n#\n#   https://docs.openstack.org/ansible-hardening/latest/domains.html\n#\n###############################################################################\n\n## Accounts (accounts)\n# Set minimum password lifetime to 1 day for interactive accounts.\nsecurity_set_minimum_password_lifetime: false # V-71927\nsecurity_set_maximum_password_lifetime: false # V-71931\n\n## AIDE (aide)\n# Initialize the AIDE database immediately (may take time).\nsecurity_rhel7_initialize_aide: false # V-71973\nsecurity_rhel7_enable_aide: true\n\n# The default Ubuntu configuration for AIDE will cause it to wander into some\n# terrible places on the system, such as /var/lib/lxc and images in /opt.\n# The following three default exclusions are highly recommended for AIDE to\n# work properly, but additional exclusions can be added to this list if needed.\nsecurity_aide_exclude_dirs:\n  - /openstack\n  - /opt\n  - /run\n  - /var\n\n## Audit daemon (auditd)\n# Send audit records to a different system using audisp.\n# security_audisp_remote_server: '10.0.21.1'                  # V-72083\n# Encrypt audit records when they are transmitted over the network.\n# security_audisp_enable_krb5: yes                            # V-72085\n# Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING!\nsecurity_rhel7_audit_failure_flag: 1 # V-72081\n# Set the action to take when the disk is full or network events cannot be sent.\nsecurity_rhel7_auditd_disk_full_action: syslog # V-72087\nsecurity_rhel7_auditd_network_failure_action: syslog # V-72087\n# Size of remaining disk space (in MB) that triggers alerts.\nsecurity_rhel7_auditd_space_left: >- # V-72089\n  {{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}\n# Action to take when the space_left threshold is reached.\nsecurity_rhel7_auditd_space_left_action: email # V-72091\n# Send auditd email alerts to this user.\nsecurity_rhel7_auditd_action_mail_acct: root # V-72093\n# Add audit rules for commands/syscalls.\nsecurity_rhel7_audit_chsh: true # V-72167\nsecurity_rhel7_audit_chage: true # V-72155\nsecurity_rhel7_audit_chcon: true # V-72139\nsecurity_rhel7_audit_chmod: false # V-72105\nsecurity_rhel7_audit_chown: false # V-72097\nsecurity_rhel7_audit_creat: \"{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}\" # V-72123\nsecurity_rhel7_audit_crontab: true # V-72183\nsecurity_rhel7_audit_delete_module: true # V-72189\nsecurity_rhel7_audit_fchmod: false # V-72107\nsecurity_rhel7_audit_fchmodat: false # V-72109\nsecurity_rhel7_audit_fchown: false # V-72099\nsecurity_rhel7_audit_fchownat: false # V-72103\nsecurity_rhel7_audit_fremovexattr: false # V-72119\nsecurity_rhel7_audit_fsetxattr: false # V-72113\nsecurity_rhel7_audit_ftruncate: true # V-72133\nsecurity_rhel7_audit_init_module: true # V-72187\nsecurity_rhel7_audit_gpasswd: true # V-72153\nsecurity_rhel7_audit_lchown: false # V-72101\nsecurity_rhel7_audit_lremovexattr: false # V-72121\nsecurity_rhel7_audit_lsetxattr: false # V-72115\nsecurity_rhel7_audit_mount: true # V-72171\nsecurity_rhel7_audit_newgrp: true # V-72165\nsecurity_rhel7_audit_open: \"{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}\" # V-72125\nsecurity_rhel7_audit_openat: true # V-72127\nsecurity_rhel7_audit_open_by_handle_at: true # V-72129\nsecurity_rhel7_audit_pam_timestamp_check: true # V-72185\nsecurity_rhel7_audit_passwd: true # V-72149\nsecurity_rhel7_audit_postdrop: true # V-72175\nsecurity_rhel7_audit_postqueue: true # V-72177\nsecurity_rhel7_audit_removexattr: false # V-72117\nsecurity_rhel7_audit_rename: \"{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}\" # V-72199\nsecurity_rhel7_audit_renameat: true # V-72201\nsecurity_rhel7_audit_restorecon: true # V-72141\nsecurity_rhel7_audit_rmdir: \"{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}\" # V-72203\nsecurity_rhel7_audit_semanage: true # V-72135\nsecurity_rhel7_audit_setsebool: true # V-72137\nsecurity_rhel7_audit_setxattr: false # V-72111\nsecurity_rhel7_audit_ssh_keysign: true # V-72179\nsecurity_rhel7_audit_su: true # V-72159\nsecurity_rhel7_audit_sudo: true # V-72161\nsecurity_rhel7_audit_sudoedit: true # V-72169\nsecurity_rhel7_audit_truncate: true # V-72131\nsecurity_rhel7_audit_umount: true # V-72173\nsecurity_rhel7_audit_unix_chkpwd: true # V-72151\nsecurity_rhel7_audit_unlink: \"{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}\" # V-72205\nsecurity_rhel7_audit_unlinkat: true # V-72207\nsecurity_rhel7_audit_userhelper: true # V-72157\n# Add audit rules for other events.\nsecurity_rhel7_audit_account_access: true # V-72143\nsecurity_rhel7_audit_sudo_config_changes: true # V-72163\nsecurity_rhel7_audit_insmod: true # V-72191\nsecurity_rhel7_audit_rmmod: true # V-72193\nsecurity_rhel7_audit_modprobe: true # V-72195\nsecurity_rhel7_audit_account_actions: true # V-72197\n\n## Authentication (auth)\n# Check if sudoers has the NOPASSWD rule enabled\nsecurity_sudoers_nopasswd_check_enable: true\n\n# Disallow logins from accounts with blank/null passwords via PAM.\nsecurity_disallow_blank_password_login: true # V-71937\n# Apply password quality rules.\n# NOTE: The security_pwquality_apply_rules variable is a \"master switch\".\n# Set the 'security_pwquality_apply_rules' variable to 'yes' to apply all of\n# the password quality rules. Each rule can be disabled with a value of 'no'.\nsecurity_pwquality_apply_rules: false\nsecurity_pwquality_require_uppercase: true # V-71903\nsecurity_pwquality_require_lowercase: true # V-71905\nsecurity_pwquality_require_numeric: true # V-71907\nsecurity_pwquality_require_special: true # V-71909\nsecurity_pwquality_require_characters_changed: true # V-71911\nsecurity_pwquality_require_character_classes_changed: true # V-71913\nsecurity_pwquality_limit_repeated_characters: true # V-71915\nsecurity_pwquality_limit_repeated_character_classes: true # V-71917\nsecurity_pwquality_require_minimum_password_length: false # V-71935\n# Use pwquality when passwords are changed or established.\nsecurity_enable_pwquality_password_set: false # V-73159\n# Ensure passwords are stored using SHA512.\nsecurity_password_encrypt_method: SHA512 # V-71921\n# Ensure user/group admin utilities only store encrypted passwords.\nsecurity_libuser_crypt_style_sha512: true # V-71923\n# Set a minimum/maximum lifetime limit for user passwords.\n# security_password_min_lifetime_days: 1                      # V-71925\n# security_password_max_lifetime_days: 60                     # V-71929\n# Set a delay (in seconds) between failed login attempts.\nsecurity_shadow_utils_fail_delay: 4 # V-71951\n# Set a umask for all authenticated users.\n# security_shadow_utils_umask: '077'                         # V-71995\n# Create home directories for new users by default.\nsecurity_shadow_utils_create_home: true # V-72013\n# How many old user password to remember to prevent password re-use.\n# security_password_remember_password: 5                      # V-71933\n# Disable user accounts if the password expires.\nsecurity_disable_account_if_password_expires: false # V-71941\n# Lock user accounts with excessive login failures. See documentation.\nsecurity_pam_faillock_enable: false # V-71945 / V-71943 / RHEL-07-010373\nsecurity_pam_faillock_interval: 900\nsecurity_pam_faillock_attempts: 3\nsecurity_pam_faillock_deny_root: true # RHEL-07-010373\nsecurity_pam_faillock_unlock_time: 604800 # V-71943\n# Limit the number of concurrent connections per account.\n# security_rhel7_concurrent_session_limit: 10                 # V-72217\n# Remove .shosts and shosts.equiv files.\nsecurity_rhel7_remove_shosts_files: false # V-72277\n# Exclude these directories from the shosts files find\nsecurity_rhel7_remove_shosts_exclude_dirs:\n  - \"/sys\"\n  - \"/proc\"\n  - \"/dev\"\n## File permissions (file_perms)\n# Reset file permissions and ownership for files installed via RPM packages.\nsecurity_reset_perm_ownership: false # V-71849\n# Search for files/directories owned by invalid users or groups.\nsecurity_search_for_invalid_owner: false # V-72007\nsecurity_search_for_invalid_group_owner: false # V-72009\n# Set user/group owners on each home directory and set mode to 0750.\nsecurity_set_home_directory_permissions_and_owners: false # V-72017 / V-72019 / V-72021\n# Find all world-writable directories and display them.\nsecurity_find_world_writable_dirs: false # V-72047\n\n## Graphical interfaces (graphical)\n# Disable automatic gdm logins\nsecurity_disable_gdm_automatic_login: true # V-71953\n# Disable timed gdm logins for guests\nsecurity_disable_gdm_timed_login: true # V-71955\n# Enable session locking for graphical logins.\nsecurity_lock_session: false # V-71891\n# Set a timer (in seconds) when an inactive session is locked.\nsecurity_lock_session_inactive_delay: 900 # V-71893\n# Prevent users from modifying session lock settings.\nsecurity_lock_session_override_user: true # RHEL-07-010071\n# Lock a session (start screensaver) when a session is inactive.\nsecurity_lock_session_when_inactive: true # V-71893\n# Time after screensaver starts when user login is required.\nsecurity_lock_session_screensaver_lock_delay: 5 # V-71901\n# Enable a login banner and set the text for the banner.\nsecurity_enable_graphical_login_message: true # V-71859\nsecurity_enable_graphical_login_message_text: >\n  You are accessing a secured system and your actions will be logged along\n  with identifying information. Disconnect immediately if you are not an\n  authorized user of this system.\n\n## Linux Security Module (lsm)\n# Enable SELinux on Red Hat/CentOS and AppArmor on Ubuntu.\nsecurity_rhel7_enable_linux_security_module: true # V-71989 / V-71991\n\n## Miscellaneous (misc)\n# Disable the autofs service.\nsecurity_rhel7_disable_autofs: true # V-71985\n# Enable virus scanning with clamav\nsecurity_enable_virus_scanner: false # V-72213\n# Run the virus scanner update during the deployment (if scanner is deployed)\nsecurity_run_virus_scanner_update: true\n# Disable ctrl-alt-delete key sequence on the console.\nsecurity_rhel7_disable_ctrl_alt_delete: true # V-71993\n# Install and enable firewalld for iptables management.\nsecurity_enable_firewalld: false # V-72273\n# Rate limit TCP connections to 25/min and burstable to 100.\nsecurity_enable_firewalld_rate_limit: false # V-72271\nsecurity_enable_firewalld_rate_limit_per_minute: 25\nsecurity_enable_firewalld_rate_limit_burst: 100\n# Update the grub configuration.\nsecurity_enable_grub_update: true\n# Require authentication in GRUB to boot into single-user or maintenance modes.\nsecurity_require_grub_authentication: false # V-71961 / V-71963\n# The default password for grub authentication is 'secrete'.\nsecurity_grub_password_hash:\n  grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B # noqa: yaml[line-length]\n# Set session timeout.\nsecurity_rhel7_session_timeout: 600 # V-72223\n# Enable chrony for NTP time synchronization.\nsecurity_rhel7_enable_chrony: true # V-72269\n# Use the following NTP servers.\nsecurity_ntp_servers:\n  - 0.pool.ntp.org\n  - 1.pool.ntp.org\n  - 2.pool.ntp.org\n  - 3.pool.ntp.org\n# NTP server options.\nsecurity_ntp_server_options: iburst\n# Configure Chrony to synchronize the hardware clock\nsecurity_ntp_sync_rtc: false\n# Chrony limits access to clients that are on certain subnets.  Adjust the\n# following subnets here to limit client access to chrony servers.\nsecurity_allowed_ntp_subnets:\n  - 10/8\n  - 192.168/16\n  - 172.16/12\n# Listen for NTP requests only on local interfaces.\nsecurity_ntp_bind_local_interfaces_only: true\n# Restrict mail relaying.\nsecurity_rhel7_restrict_mail_relaying: true # V-72297\n# Deploy a login banner.                                     # V-72225 / V-71863\nsecurity_login_banner_text: |\n  ------------------------------------------------------------------------------\n  * WARNING                                                                    *\n  * You are accessing a secured system and your actions will be logged along   *\n  * with identifying information. Disconnect immediately if you are not an     *\n  * authorized user of this system.                                            *\n  ------------------------------------------------------------------------------\n\n\n## Packages (packages)\n# Remove packages from the system as required by the STIG. Set any of these\n# to 'no' to skip their removal.\nsecurity_rhel7_remove_rsh_server: true # V-71967\nsecurity_rhel7_remove_telnet_server: true # V-72077\nsecurity_rhel7_remove_tftp_server: true # V-72301\nsecurity_rhel7_remove_xorg: true # V-72307\nsecurity_rhel7_remove_ypserv: true # V-71969\n# Automatically remove dependencies when removing packages.\nsecurity_package_clean_on_remove: false # V-71987\n# Automatically update packages.\nsecurity_rhel7_automatic_package_updates: false # V-71999\n# Install packages for multi-factor authentication.\nsecurity_install_multifactor_auth_packages: true # V-72417\nsecurity_check_package_checksums: false # V-71855\n\n## RPM (rpm)\n# Enable GPG checks for packages and repository data.\nsecurity_enable_gpgcheck_packages: true # V-71977\nsecurity_enable_gpgcheck_packages_local: true # V-71979\nsecurity_enable_gpgcheck_repo: false # V-71981\n\n## ssh server (sshd)\n# Ensure sshd is running and enabled at boot time.\nsecurity_enable_sshd: true # V-72235\n# Disallow logins from users with empty/null passwords.\nsecurity_sshd_disallow_empty_password: true # V-71939 / RHEL-07-010440\n# Disallow users from overriding the ssh environment variables.\nsecurity_sshd_disallow_environment_override: true # V-71957\n# Disallow host based authentication.\nsecurity_sshd_disallow_host_based_auth: true # V-71959\n# Set a list of allowed ssh ciphers.\nsecurity_sshd_cipher_list: \"aes128-ctr,aes192-ctr,aes256-ctr\" # V-72221\n# Specify a text file to be displayed as the banner/MOTD for all sessions.\nsecurity_sshd_banner_file: /etc/motd # V-71861 / V-72225\n# Disable dynamic MOTD banner that is provided by /run/motd.dynamic\nsecurity_sshd_dynamic_banner_disable: true\n# Set the interval for max session length and the number of intervals to allow.\nsecurity_sshd_client_alive_interval: 600 # V-72237\nsecurity_sshd_client_alive_count_max: 0 # V-72241\n# Print the last login for a user when they log in over ssh.\nsecurity_sshd_print_last_log: true # V-72245\n# Permit direct root logins ('yes', 'no', 'without-password', 'prohibit-password', 'forced-commands-only')\nsecurity_sshd_permit_root_login: false # V-72247\n# Disallow authentication using known hosts authentication.\nsecurity_sshd_disallow_known_hosts_auth: true # V-72249 / V-72239\n# Disallow rhosts authentication.\nsecurity_sshd_disallow_rhosts_auth: true # V-72243\n# Enable X11 forwarding.\nsecurity_sshd_enable_x11_forwarding: true # V-72303\n# Set the allowed ssh protocols.\nsecurity_sshd_protocol: 2 # V-72251\n# Set the list of allowed Message Authentication Codes (MACs) for ssh.\nsecurity_sshd_allowed_macs: \"hmac-sha2-256,hmac-sha2-512\" # V-72253\n# Disallow Generic Security Service Application Program Interface (GSSAPI) auth.\nsecurity_sshd_disallow_gssapi: true # V-72259\n# Disallow compression or delay after login.\nsecurity_sshd_compression: \"delayed\" # V-72267\n# Require privilege separation at every opportunity.\nsecurity_sshd_enable_privilege_separation: false # V-72265\n# Require strict mode checking of home directory configuration files.\nsecurity_sshd_enable_strict_modes: true # V-72263\n# Disallow Kerberos authentication.\nsecurity_sshd_disable_kerberos_auth: true # V-72261\n# Disallow GSSAPI authentication.\nsecurity_sshd_disable_gssapi_auth: true # V-204598\n\n## Kernel settings (kernel)\n# Disallow forwarding IPv4/IPv6 source routed packets on all interfaces\n# immediately and by default on new interfaces.\nsecurity_disallow_source_routed_packet_forward_ipv4: true # V-72283 / V-72285\nsecurity_disallow_source_routed_packet_forward_ipv6: true # V-72319\n# Disallow responses to IPv4 ICMP echoes sent to broadcast address.\nsecurity_disallow_echoes_broadcast_address: true # V-72287\n# Disallow IPV4 ICMP redirects on all interfaces immediately and by default on\n# new interfaces.\nsecurity_disallow_icmp_redirects: true # V-73175 / V-72289 / V-72291 / V-72293\n# Disallow IP forwarding.\nsecurity_disallow_ip_forwarding: false # V-72309\n# Disable USB storage support.\nsecurity_rhel7_disable_usb_storage: true # V-71983\n# Disable kdump.\nsecurity_disable_kdump: true # V-72057\n# Disable Datagram Congestion Control Protocol (DCCP).\nsecurity_rhel7_disable_dccp: true # V-77821\n# Enable Address Space Layout Randomization (ASLR).\nsecurity_enable_aslr: true # V-77825\n\n###############################################################################\n#   ____            _        _ _\n#  / ___|___  _ __ | |_ _ __(_) |__\n# | |   / _ \\| '_ \\| __| '__| | '_ \\\n# | |__| (_) | | | | |_| |  | | |_) |\n#  \\____\\___/|_| |_|\\__|_|  |_|_.__/\n#\n#\n# The following configurations apply to tasks that are contributed by\n# ansible-hardening developers and may not be part of a hardening standard\n# or compliance program. For more information on the 'contrib' tasks, review\n# the documentation:\n#\n#   https://docs.openstack.org/ansible-hardening/latest/contrib.html\n#\n###############################################################################\n\n# To enable the contrib tasks, set this variable to 'yes'.\nsecurity_contrib_enabled: false\n\n# Disable IPv6.\n# DANGER: This option causes IPv6 networking to be disabled for the ENTIRE\n# DANGER: SYSTEM. This will cause downtime for any services that depend on\n# DANGER: IPv6 network connectivity.\nsecurity_contrib_disable_ipv6: false # C-00001\n\nsecurity_sysctl_file: \"{{ openstack_sysctl_file | default('/etc/sysctl.conf') }}\"\n","created":"2025-12-08T13:50:24.852989Z","updated":"2025-12-08T13:50:24.853002Z","path":"/home/zuul/src/opendev.org/openstack/ansible-hardening/defaults/main.yml"}