{"id":156,"sha1":"df2e39ebadd557d259efeaab3117226531ab297a","playbook":{"id":2,"items":{"plays":18,"tasks":316,"results":313,"hosts":2,"files":136,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":8,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-hosts.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-08T13:27:39.675908Z","ended":"2025-12-08T13:33:13.621332Z","duration":"00:05:33.945424","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.12.3","server_version":"1.7.4","status":"completed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2016, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n## Common variables for all distributions\n# This file contains variables that apply to all distributions that the\n# security role supports. Distribution-specific variables should be placed in:\n#\n#   - vars/redhat.yml\n#   - vars/ubuntu.yml\n\n## grub custom configuration\ngrub_custom_file: /etc/grub.d/40_custom\n## grub main linux configuration\ngrub_linux_file: /etc/grub.d/10_linux\n\n## auditd configuration\nauditd_config:\n  - parameter: disk_full_action\n    value: \"{{ security_rhel7_auditd_disk_full_action }}\"\n    config: /etc/audisp/audisp-remote.conf\n  - parameter: network_failure_action\n    value: \"{{ security_rhel7_auditd_network_failure_action }}\"\n    config: /etc/audisp/audisp-remote.conf\n  - parameter: space_left\n    value: \"{{ security_rhel7_auditd_space_left }}\"\n    config: /etc/audit/auditd.conf\n  - parameter: space_left_action\n    value: \"{{ security_rhel7_auditd_space_left_action }}\"\n    config: /etc/audit/auditd.conf\n  - parameter: action_mail_acct\n    value: \"{{ security_rhel7_auditd_action_mail_acct }}\"\n    config: /etc/audit/auditd.conf\n\n## auditd rules\n# This variable is used in tasks/rhel7stig/auditd.yml to deploy auditd rules\n# for various commands and syscalls.\n#\n# Each dictionary has this structure:\n#\n#   command: the command/syscall to audit (required)\n#   stig_id: the number/ID from the STIG (required)\n#   arch_specific: 'yes' if the rule depends on the architecture type,\n#                  otherwise 'no' (required)\n#   path: the path to the command (optional, default is '/usr/bin')\n#   distro: restrict deployment to a single Linux distribution (optional,\n#           should be equal to 'ansible_facts['os_family'] | lower', such as 'redhat'\n#           or 'ubuntu')\n#\naudited_commands:\n  - command: chsh\n    stig_id: V-72167\n    arch_specific: false\n  - command: chage\n    stig_id: V-72155\n    arch_specific: false\n  - command: chcon\n    stig_id: V-72139\n    arch_specific: false\n  - command: chmod\n    stig_id: V-72105\n    arch_specific: true\n  - command: chown\n    stig_id: V-72097\n    arch_specific: true\n  - command: creat\n    stig_id: V-72123\n    arch_specific: true\n  - command: crontab\n    stig_id: V-72183\n    arch_specific: false\n  - command: delete_module\n    stig_id: V-72189\n    arch_specific: true\n  - command: fchmod\n    stig_id: V-72107\n    arch_specific: true\n  - command: fchmodat\n    stig_id: V-72109\n    arch_specific: true\n  - command: fchown\n    stig_id: V-72099\n    arch_specific: true\n  - command: fchownat\n    stig_id: V-72103\n    arch_specific: true\n  - command: fremovexattr\n    stig_id: V-72119\n    arch_specific: true\n  - command: fsetxattr\n    stig_id: V-72113\n    arch_specific: true\n  - command: ftruncate\n    stig_id: V-72133\n    arch_specific: true\n  - command: init_module\n    stig_id: V-72187\n    arch_specific: true\n  - command: gpasswd\n    stig_id: V-72153\n    arch_specific: false\n  - command: lchown\n    stig_id: V-72101\n    arch_specific: true\n  - command: lremovexattr\n    stig_id: V-72121\n    arch_specific: true\n  - command: lsetxattr\n    stig_id: V-72115\n    arch_specific: true\n  - command: mount\n    path: /bin\n    stig_id: V-72171\n    arch_specific: false\n  - command: newgrp\n    stig_id: V-72165\n    arch_specific: false\n  - command: open\n    stig_id: V-72125\n    arch_specific: true\n  - command: openat\n    stig_id: V-72127\n    arch_specific: true\n  - command: open_by_handle_at\n    stig_id: V-72129\n    arch_specific: true\n  - command: pam_timestamp_check\n    path: /sbin\n    stig_id: V-72185\n    arch_specific: false\n  - command: passwd\n    stig_id: V-72149\n    arch_specific: false\n  - command: postdrop\n    path: /usr/sbin\n    stig_id: V-72175\n    arch_specific: false\n  - command: postqueue\n    path: /usr/sbin\n    stig_id: V-72177\n    arch_specific: false\n  - command: removexattr\n    stig_id: V-72117\n    arch_specific: true\n  - command: rename\n    stig_id: V-72199\n    arch_specific: true\n  - command: renameat\n    stig_id: V-72201\n    arch_specific: true\n  - command: restorecon\n    path: /usr/sbin\n    stig_id: V-72141\n    arch_specific: false\n  - command: rmdir\n    stig_id: V-72203\n    arch_specific: true\n  - command: semanage\n    path: /usr/sbin\n    stig_id: V-72135\n    arch_specific: false\n  - command: setsebool\n    path: /usr/sbin\n    stig_id: V-72137\n    arch_specific: false\n  - command: setxattr\n    stig_id: V-72111\n    arch_specific: true\n  - command: ssh-keysign\n    path: \"{{ ssh_keysign_path }}\"\n    stig_id: V-72179\n    arch_specific: false\n  - command: su\n    path: /bin\n    stig_id: V-72159\n    arch_specific: false\n  - command: sudo\n    stig_id: V-72161\n    arch_specific: false\n  - command: sudoedit\n    path: /bin\n    stig_id: V-72169\n    arch_specific: false\n  - command: truncate\n    stig_id: V-72131\n    arch_specific: true\n  - command: umount\n    path: /bin\n    stig_id: V-72173\n    arch_specific: false\n  - command: unix_chkpwd\n    path: /sbin\n    stig_id: V-72151\n    arch_specific: false\n  - command: unlink\n    stig_id: V-72205\n    arch_specific: true\n  - command: unlinkat\n    stig_id: V-72207\n    arch_specific: true\n  - command: userhelper\n    path: /usr/sbin\n    stig_id: V-72157\n    arch_specific: false\n\n## Password quality settings\n# This variable is used in main/rhel7stig/auth.yml to set password quality\n# requirements.\n#\n# Each dictionary has this structure:\n#\n#   parameter: the pwquality parameter to set\n#   value: the value of the parameter\n#   stig_id: the STIG id number\n#   description: description of the control from the STIG\n#   enabled: whether the change should be applied\n#\npassword_quality_rhel7:\n  - parameter: ucredit\n    value: -1\n    stig_id: V-71903\n    description: \"Password must contain at least one upper-case character\"\n    enabled: \"{{ security_pwquality_require_uppercase }}\"\n  - parameter: lcredit\n    value: -1\n    stig_id: V-71905\n    description: \"Password must contain at least one lower-case character\"\n    enabled: \"{{ security_pwquality_require_lowercase }}\"\n  - parameter: dcredit\n    value: -1\n    stig_id: V-71907\n    description: \"Password must contain at least one numeric character\"\n    enabled: \"{{ security_pwquality_require_numeric }}\"\n  - parameter: ocredit\n    value: -1\n    stig_id: V-71909\n    description: \"Password must contain at least one special character\"\n    enabled: \"{{ security_pwquality_require_special }}\"\n  - parameter: difok\n    value: 8\n    stig_id: V-71911\n    description: \"Password must have at least eight characters changed\"\n    enabled: \"{{ security_pwquality_require_characters_changed }}\"\n  - parameter: minclass\n    value: 4\n    stig_id: V-71913\n    description: \"Password must have at least four character classes changed\"\n    enabled: \"{{ security_pwquality_require_character_classes_changed }}\"\n  - parameter: maxrepeat\n    value: 3\n    stig_id: V-71915\n    description: \"Password must have at most three characters repeated consecutively\"\n    enabled: \"{{ security_pwquality_limit_repeated_characters }}\"\n  - parameter: maxclassrepeat\n    value: 4\n    stig_id: V-71917\n    description: \"Password must have at most four characters in the same character class repeated consecutively\"\n    enabled: \"{{ security_pwquality_limit_repeated_character_classes }}\"\n  - parameter: minlen\n    value: 15\n    stig_id: V-71935\n    description: \"Passwords must be a minimum of 15 characters in length\"\n    enabled: \"{{ security_pwquality_require_minimum_password_length }}\"\n\n## shadow-utils settings\n# This variable is used in main/rhel7stig/auth.yml to set shadow file-related\n# configurations in /etc/login.defs.\n#\n# Each dictionary has this structure:\n#\n#   parameter: the parameter to set\n#   value: the value for the parameter\n#   stig_id: the STIG ID number for the requirement\n#\nshadow_utils_rhel7:\n  - parameter: ENCRYPT_METHOD\n    value: \"{{ security_password_encrypt_method | default('') }}\"\n    stig_id: V-71921\n    os_family: all\n  - parameter: PASS_MIN_DAYS\n    value: \"{{ security_password_min_lifetime_days | default('') }}\"\n    stig_id: V-71925\n    os_family: all\n  - parameter: PASS_MAX_DAYS\n    value: \"{{ security_password_max_lifetime_days | default('') }}\"\n    stig_id: V-71929\n    os_family: all\n  - parameter: FAIL_DELAY\n    value: \"{{ security_shadow_utils_fail_delay | default('') }}\"\n    stig_id: V-71951\n    os_family: RedHat\n  - parameter: UMASK\n    value: \"{{ security_shadow_utils_umask | default('') }}\"\n    stig_id: V-71995\n    os_family: all\n  - parameter: CREATE_HOME\n    value: \"{{ security_shadow_utils_create_home | bool | ternary('yes', 'no') }}\"\n    stig_id: V-72013\n    os_family: all\n\n## sysctl settings\n# This variable is used in main/rhel7stig/kernel.yml to set sysctl\n# configurations on hosts.\n#\n# Each dictionary has this structure:\n#\n#   name: the sysctl configuration name\n#   value: the value to set for the sysctl configuration\n#   enabled: yes or no\n#     - 'yes' (ensure the variable is set)\n#     - 'no' (the role will not alter the configuration)\n#\nsysctl_settings_rhel7:\n  - name: net.ipv4.conf.all.accept_source_route\n    value: 0\n    enabled: \"{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}\"\n  - name: net.ipv4.conf.default.accept_source_route\n    value: 0\n    enabled: \"{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}\"\n  - name: net.ipv4.icmp_echo_ignore_broadcasts\n    value: 1\n    enabled: \"{{ security_disallow_echoes_broadcast_address | bool }}\"\n  - name: net.ipv4.conf.all.send_redirects\n    value: 0\n    enabled: \"{{ security_disallow_icmp_redirects | bool }}\"\n  - name: net.ipv4.conf.default.send_redirects\n    value: 0\n    enabled: \"{{ security_disallow_icmp_redirects | bool }}\"\n  - name: net.ipv4.ip_forward\n    value: 0\n    enabled: \"{{ security_disallow_ip_forwarding | bool }}\"\n  - name: net.ipv6.conf.all.accept_source_route\n    value: 0\n    enabled: \"{{ security_disallow_source_routed_packet_forward_ipv6 | bool }}\"\n  - name: net.ipv4.conf.default.accept_redirects\n    value: 0\n    enabled: \"{{ security_disallow_icmp_redirects | bool }}\"\n  - name: kernel.randomize_va_space\n    value: 2\n    enabled: \"{{ security_enable_aslr | bool }}\"\n  - name: net.ipv6.conf.all.disable_ipv6\n    value: 1\n    enabled: \"{{ (security_contrib_enabled | bool) and (security_contrib_disable_ipv6 | bool) }}\"\n\nsshd_settings_rhel7:\n  - name: PermitEmptyPasswords\n    value: \"no\"\n    enabled: \"{{ security_sshd_disallow_empty_password | bool }}\"\n    stig_id: V-71939 / RHEL-07-010440\n  - name: PermitUserEnvironment\n    value: \"no\"\n    enabled: \"{{ security_sshd_disallow_environment_override | bool }}\"\n    stig_id: V-71957\n  - name: HostbasedAuthentication\n    value: \"no\"\n    enabled: \"{{ security_sshd_disallow_host_based_auth | bool }}\"\n    stig_id: V-71959\n  - name: Ciphers\n    value: \"{{ security_sshd_cipher_list }}\"\n    enabled: true\n    stig_id: V-72221\n  - name: ClientAliveInterval\n    value: \"{{ security_sshd_client_alive_interval }}\"\n    enabled: true\n    stig_id: V-72237\n  - name: ClientAliveCountMax\n    value: \"{{ security_sshd_client_alive_count_max }}\"\n    enabled: true\n    stig_id: V-72241\n  - name: PrintLastLog\n    value: \"yes\"\n    enabled: \"{{ security_sshd_print_last_log | bool }}\"\n    stig_id: V-72245\n  # NOTE(noonedeadpunk): We leave else/endif on same string not to deal with stripping of '\\n' later on\n  - name: PermitRootLogin\n    value: |-\n      {% if security_sshd_permit_root_login | string in ['False', 'True'] %}\n      {{ (security_sshd_permit_root_login | bool) | ternary('yes', 'no') }}{% else %}\n      {{ security_sshd_permit_root_login }}{% endif %}\n    enabled: true\n    stig_id: V-72247\n  - name: IgnoreUserKnownHosts\n    value: \"yes\"\n    enabled: \"{{ security_sshd_disallow_known_hosts_auth | bool }}\"\n    stig_id: V-72249 / V-72239\n  - name: IgnoreRhosts\n    value: \"yes\"\n    enabled: \"{{ security_sshd_disallow_rhosts_auth | bool }}\"\n    stig_id: V-72243\n  - name: X11Forwarding\n    value: \"yes\"\n    enabled: \"{{ security_sshd_enable_x11_forwarding | bool }}\"\n    stig_id: V-72303\n  - name: Protocol\n    value: \"{{ security_sshd_protocol }}\"\n    enabled: true\n    stig_id: V-72251\n  - name: MACs\n    value: \"{{ security_sshd_allowed_macs }}\"\n    enabled: true\n    stig_id: V-72253\n  - name: UsePrivilegeSeparation\n    value: sandbox\n    enabled: \"{{ security_sshd_enable_privilege_separation | bool }}\"\n    stig_id: V-72265\n  - name: Compression\n    value: \"{{ security_sshd_compression }}\"\n    enabled: true\n    stig_id: V-72267\n  - name: KerberosAuthentication\n    value: \"no\"\n    enabled: \"{{ security_sshd_disable_kerberos_auth | bool }}\"\n    stig_id: V-72261\n  - name: GSSAPIAuthentication\n    value: \"no\"\n    enabled: \"{{ security_sshd_disable_gssapi_auth | bool }}\"\n    stig_id: V-204598\n  - name: StrictModes\n    value: \"yes\"\n    enabled: \"{{ security_sshd_enable_strict_modes | bool }}\"\n    stig_id: V-72263\n  - name: PrintMotd\n    value: \"{{ (security_sshd_dynamic_banner_disable | bool) | ternary('yes', 'no') }}\"\n    enabled: true\n    stig_id: V-71861\n","created":"2025-12-08T13:33:13.156776Z","updated":"2025-12-08T13:33:13.156816Z","path":"/home/zuul/src/opendev.org/openstack/ansible-hardening/vars/main.yml"}