Playbook #2
/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml
Execution
Date 08 Dec 2025 13:27:39 +0000
Duration 00:05:33.94
Controller aio1.openstack.local
User root
Versions
Ansible 2.18.6
ara 1.7.4 / 1.7.4
Python 3.12.3
Summary
2 Hosts
316 Tasks
313 Results
18 Plays
136 Files
0 Records
check:False tags:all

File: /home/zuul/src/opendev.org/openstack/ansible-hardening/tasks/rhel7stig/kernel.yml

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: V-71983 - USB mass storage must be disabled.
  ansible.builtin.lineinfile:
    dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf
    line: install usb-storage /bin/true
    create: true
    mode: "0644"
  when:
    - security_rhel7_disable_usb_storage | bool
  tags:
    - kernel
    - medium
    - V-71983

- name: Set sysctl configurations
  ansible.posix.sysctl:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    state: "{{ item.enabled | ternary('present', 'absent') }}"
    sysctl_file: "{{ security_sysctl_file }}"
    reload: true
  when:
    - item.enabled | bool
  with_items: "{{ sysctl_settings_rhel7 }}"
  tags:
    - medium
    - kernel
    - V-72283
    - V-72285
    - V-72287
    - V-72289
    - V-73175
    - V-72291
    - V-72293
    - V-72309
    - V-72319
    - C-00001

- name: Check kdump service
  ansible.builtin.command: systemctl status kdump
  register: kdump_service_check
  failed_when: kdump_service_check.rc not in [0,3,4]
  changed_when: false
  check_mode: false
  tags:
    - kernel
    - medium
    - V-72057

- name: V-72057 - Kernel core dumps must be disabled unless needed.
  ansible.builtin.service:
    name: kdump
    state: stopped
    enabled: false
  when:
    - kdump_service_check.rc not in [3,4]
    - security_disable_kdump
  tags:
    - kernel
    - medium
    - V-72057

- name: Check if FIPS is enabled
  ansible.builtin.command: cat /proc/sys/crypto/fips_enabled
  register: fips_check
  changed_when: false
  failed_when: false
  check_mode: false
  when:
    - ansible_facts['pkg_mgr'] == 'dnf'
  tags:
    - always

- name: Print a warning if FIPS isn't enabled
  ansible.builtin.debug:
    msg: >
      FIPS is not enabled at boot time on this server.
      The STIG requires FIPS to be enabled at boot time.
  when:
    - ansible_facts['pkg_mgr'] == 'dnf'
    - fips_check is defined
    - fips_check.stdout != '1'
  tags:
    - high
    - misc
    - V-72067

- name: V-77821 - Datagram Congestion Control Protocol (DCCP) kernel module must be disabled
  ansible.builtin.copy:
    src: ansible-hardening-disable-dccp.conf
    dest: /etc/modprobe.d/ansible-hardening-disable-dccp.conf
    mode: "0644"
  when:
    - security_rhel7_disable_dccp | bool
  tags:
    - kernel
    - medium
    - V-77821