{"id":152,"sha1":"5bd5fa8210de1d97fa86ee64e6565c7d4ee919fb","playbook":{"id":2,"items":{"plays":18,"tasks":316,"results":313,"hosts":2,"files":136,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":8,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-hosts.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-08T13:27:39.675908Z","ended":"2025-12-08T13:33:13.621332Z","duration":"00:05:33.945424","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.12.3","server_version":"1.7.4","status":"completed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2016, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n- name: Check apparmor_status output\n  ansible.builtin.command: apparmor_status\n  register: apparmor_status_output\n  check_mode: false\n  changed_when: false\n  failed_when: false\n  when:\n    - ansible_facts['pkg_mgr'] in ['apt', 'zypper']\n    - security_rhel7_enable_linux_security_module | bool\n  tags:\n    - high\n    - V-71989\n\n# NOTE(mhayden): The systemd unit file for apparmor just calls an old SysV\n# init script and exits. It's not possible to ask systemd if apparmor is\n# running and if we tell systemd to start apparmor, it will tell us that it\n# started apparmor each time. This breaks idempotency and we check\n# systemd's status directly as an alternative.\n- name: Check if apparmor is running\n  ansible.builtin.command: \"systemctl status apparmor\"\n  register: systemctl_apparmor_status\n  check_mode: false\n  changed_when: false\n  failed_when: false\n  when:\n    - ansible_facts['pkg_mgr'] in ['apt', 'zypper']\n    - security_rhel7_enable_linux_security_module | bool\n  tags:\n    - high\n    - V-71989\n\n- name: Ensure AppArmor is enabled at boot time\n  ansible.builtin.service:\n    name: apparmor\n    enabled: true\n  when:\n    - ansible_facts['pkg_mgr'] in ['apt', 'zypper']\n    - security_rhel7_enable_linux_security_module | bool\n    - not check_mode\n  tags:\n    - high\n    - V-71989\n\n# NOTE(mhayden): Since the AppArmor systemd unit calls a SysV init script, the\n# unit will always say AppArmor is dead. This means that the following task\n# will always start the unit every time it runs (which breaks idempotency).\n- name: Ensure AppArmor is running\n  ansible.builtin.service:\n    name: apparmor\n    state: started\n  changed_when:\n    - '\"active (exited)\" not in systemctl_apparmor_status.stdout'\n  when:\n    - ansible_facts['pkg_mgr'] in ['apt', 'zypper']\n    - security_rhel7_enable_linux_security_module | bool\n    - not check_mode\n    - '\"apparmor filesystem is not mounted\" not in apparmor_status_output.stderr'\n  tags:\n    - high\n    - V-71989\n\n# NOTE(mhayden): The \"changed_when\" is required here because this task will\n# always show as changed when SELinux is completely disabled. It's not possible\n# to switch to permissive/enforcing in an online way when SELinux is completely\n# disabled at boot time.\n- name: Ensure SELinux is in enforcing mode on the next reboot\n  ansible.posix.selinux:\n    state: enforcing\n    policy: targeted\n  register: selinux_status_change\n  changed_when: selinux_status_change is changed and ansible_facts['selinux']['status'] != 'disabled'\n  when:\n    - ansible_facts['os_family'] == \"RedHat\"\n    - security_rhel7_enable_linux_security_module | bool\n  tags:\n    - high\n    - V-71989\n    - V-71991\n\n- name: Relabel files on next boot if SELinux mode changed\n  ansible.builtin.file:\n    path: /.autorelabel\n    state: touch\n    mode: \"0644\"\n  when:\n    - ansible_facts['os_family'] == \"RedHat\"\n    - security_rhel7_enable_linux_security_module | bool\n    - selinux_status_change is changed\n  tags:\n    - high\n    - V-71989\n    - V-71991\n\n# NOTE(mhayden): Ansible's find module doesn't support searching for files\n# based on SELinux contexts yet.\n- name: Check for unlabeled device files\n  ansible.builtin.command: \"find /dev -context '*unlabeled_t*'\"\n  register: unlabeled_devices\n  changed_when: false\n  check_mode: false\n  when:\n    - ansible_facts['os_family'] == 'RedHat'\n    - ansible_facts['selinux']['status'] == 'enabled'\n  tags:\n    - lsm\n    - medium\n    - V-72039\n\n- name: V-72039 - All system device files must be correctly labeled to prevent unauthorized modification.\n  ansible.builtin.debug:\n    msg: |\n      Devices were found without SELinux labels:\n      {% for device in unlabeled_devices.stdout_lines %}\n      {{ device }}\n      {% endfor %}\n  when:\n    - ansible_facts['os_family'] == 'RedHat'\n    - unlabeled_devices.stdout is defined\n    - unlabeled_devices.stdout | length > 0\n  tags:\n    - lsm\n    - medium\n    - V-72039\n","created":"2025-12-08T13:32:40.358527Z","updated":"2025-12-08T13:32:40.358556Z","path":"/home/zuul/src/opendev.org/openstack/ansible-hardening/tasks/rhel7stig/lsm.yml"}