{"id":150,"sha1":"d9663aceda7ea522124b7a95db3cb92e11c3ccdc","playbook":{"id":2,"items":{"plays":18,"tasks":316,"results":313,"hosts":2,"files":136,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":8,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-hosts.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-08T13:27:39.675908Z","ended":"2025-12-08T13:33:13.621332Z","duration":"00:05:33.945424","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.12.3","server_version":"1.7.4","status":"completed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2016, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n- name: Check if gdm is installed and configured\n  ansible.builtin.stat:\n    path: /etc/gdm/custom.conf\n  register: gdm_conf_check\n  check_mode: false\n\n- name: V-71953 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface\n  ansible.builtin.lineinfile:\n    dest: /etc/gdm/custom.conf\n    line: \"^AutomaticLoginEnable=true\"\n    state: absent\n  when:\n    - gdm_conf_check.stat.exists\n    - security_disable_gdm_automatic_login | bool\n  tags:\n    - graphical\n    - high\n    - V-71953\n\n- name: V-71955 - The operating system must not allow guest logon to the system.\n  ansible.builtin.lineinfile:\n    dest: /etc/gdm/custom.conf\n    line: \"^TimedLoginEnable=true\"\n    state: absent\n  when:\n    - gdm_conf_check.stat.exists\n    - security_disable_gdm_timed_login | bool\n  tags:\n    - graphical\n    - high\n    - V-71955\n\n- name: Check for dconf profiles\n  ansible.builtin.stat:\n    path: /etc/dconf/profile\n  register: dconf_check\n  tags:\n    - always\n\n- name: Create a user profile in dconf\n  ansible.builtin.copy:\n    src: dconf-user-profile\n    dest: /etc/dconf/profile/user\n    mode: \"0644\"\n  when:\n    - dconf_check.stat.exists\n  tags:\n    - graphical\n    - medium\n    - V-71891\n    - V-71893\n    - V-71901\n\n- name: Create dconf directories\n  ansible.builtin.file:\n    path: \"{{ item }}\"\n    state: directory\n    mode: \"0755\"\n  with_items:\n    - /etc/dconf/db/local.d/\n    - /etc/dconf/db/local.d/locks\n    - /etc/dconf/db/gdm.d/\n  when:\n    - dconf_check.stat.exists\n  tags:\n    - graphical\n    - medium\n    - V-71859\n    - V-71891\n    - V-71893\n    - V-71901\n\n- name: Configure graphical session locking\n  ansible.builtin.template:\n    src: dconf-screensaver-lock.j2\n    dest: /etc/dconf/db/local.d/00-screensaver\n    mode: \"0644\"\n  when:\n    - dconf_check.stat.exists\n  notify:\n    - Dconf update\n  tags:\n    - graphical\n    - medium\n    - V-71891\n    - V-71893\n    - V-71901\n\n- name: Prevent users from changing graphical session locking configurations\n  ansible.builtin.template:\n    src: dconf-session-user-config-lockout.j2\n    dest: /etc/dconf/db/local.d/locks/session\n    mode: \"0644\"\n  when:\n    - dconf_check.stat.exists\n  notify:\n    - Dconf update\n  tags:\n    - graphical\n    - medium\n    - V-71891\n    - V-71893\n    - V-71901\n\n- name: Create a GDM profile for displaying a login banner\n  ansible.builtin.copy:\n    src: dconf-profile-gdm\n    dest: /etc/dconf/profile/gdm\n    mode: \"0644\"\n  when:\n    - dconf_check.stat.exists\n  notify:\n    - Dconf update\n  tags:\n    - graphical\n    - medium\n    - V-71859\n\n- name: Create a GDM keyfile for machine-wide settings\n  ansible.builtin.template:\n    src: dconf-gdm-banner-message.j2\n    dest: \"{{ item }}\"\n    mode: \"0644\"\n  with_items:\n    - /etc/dconf/db/gdm.d/01-banner-message\n    - /etc/dconf/db/local.d/01-banner-message\n  when:\n    - dconf_check.stat.exists\n  notify:\n    - Dconf update\n  tags:\n    - graphical\n    - medium\n    - V-71859\n","created":"2025-12-08T13:32:31.265420Z","updated":"2025-12-08T13:32:31.265452Z","path":"/home/zuul/src/opendev.org/openstack/ansible-hardening/tasks/rhel7stig/graphical.yml"}