Playbook #2
/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml
Execution
Date 08 Dec 2025 13:27:39 +0000
Duration 00:05:33.94
Controller aio1.openstack.local
User root
Versions
Ansible 2.18.6
ara 1.7.4 / 1.7.4
Python 3.12.3
Summary
2 Hosts
316 Tasks
313 Results
18 Plays
136 Files
0 Records
check:False tags:all

Host facts: aio1
Processor
Storage
/
/dev/xvda1 (ext4)
40.6% used
21.9 GB free
/mnt/config
/dev/xvdd (iso9660)
100.0% used
0 bytes free
/openstack
/dev/xvde1 (ext4)
5.6% used
29.6 GB free
/var/lib/lxc
/dev/xvde2 (ext4)
5.1% used
44.5 GB free
/var/lib/nova/instances
/dev/loop0 (xfs)
1.9% used
1004.2 GB free
All Host Facts
Fact Value
ansible_mounts 
[
    {
        "block_available": 5749259,
        "block_size": 4096,
        "block_total": 9686411,
        "block_used": 3937152,
        "device": "/dev/xvda1",
        "dump": 0,
        "fstype": "ext4",
        "inode_available": 9806357,
        "inode_total": 10480640,
        "inode_used": 674283,
        "mount": "/",
        "options": "rw,relatime",
        "passno": 0,
        "size_available": 23548964864,
        "size_total": 39675539456,
        "uuid": "53f6e1bd-3af3-4adf-88ea-2dd12e31dfa8"
    },
    {
        "block_available": 0,
        "block_size": 2048,
        "block_total": 222,
        "block_used": 222,
        "device": "/dev/xvdd",
        "dump": 0,
        "fstype": "iso9660",
        "inode_available": 0,
        "inode_total": 0,
        "inode_used": 0,
        "mount": "/mnt/config",
        "options": "ro,relatime,nojoliet,check=s,map=n,blocksize=2048,fmode=700,iocharset=utf8",
        "passno": 0,
        "size_available": 0,
        "size_total": 454656,
        "uuid": "2025-12-08-13-19-25-00"
    },
    {
        "block_available": 7754683,
        "block_size": 4096,
        "block_total": 8211652,
        "block_used": 456969,
        "device": "/dev/xvde1",
        "dump": 0,
        "fstype": "ext4",
        "inode_available": 2097078,
        "inode_total": 2097152,
        "inode_used": 74,
        "mount": "/openstack",
        "options": "rw,noatime,nobarrier,data=writeback",
        "passno": 0,
        "size_available": 31763181568,
        "size_total": 33634926592,
        "uuid": "95c6f1ee-eace-44c0-a409-5138d171fc97"
    },
    {
        "block_available": 11673107,
        "block_size": 4096,
        "block_total": 12306341,
        "block_used": 633234,
        "device": "/dev/xvde2",
        "dump": 0,
        "fstype": "ext4",
        "inode_available": 3145717,
        "inode_total": 3145728,
        "inode_used": 11,
        "mount": "/var/lib/lxc",
        "options": "rw,noatime,nobarrier,data=writeback",
        "passno": 0,
        "size_available": 47813046272,
        "size_total": 50406772736,
        "uuid": "62ffa9df-4285-4a7c-b2ff-60561322e098"
    },
    {
        "block_available": 263253996,
        "block_size": 4096,
        "block_total": 268402688,
        "block_used": 5148692,
        "device": "/dev/loop0",
        "dump": 0,
        "fstype": "xfs",
        "inode_available": 107374141,
        "inode_total": 107374144,
        "inode_used": 3,
        "mount": "/var/lib/nova/instances",
        "options": "rw,noatime,nodiratime,attr2,inode64,logbufs=8,logbsize=256k,noquota",
        "passno": 0,
        "size_available": 1078288367616,
        "size_total": 1099377410048,
        "uuid": "e97190e7-dea8-48d5-ba36-90f59a0651c2"
    }
]


161 OK 60 CHANGED 106 SKIPPED




Report Status Date Date Duration Host Action Task Tags Notes
OK 08 Dec 2025 13:33:12 +0000 00:00:00.38 aio1 ansible.builtin.command ansible-hardening : Generate auditd rules 1
CHANGED 08 Dec 2025 13:33:11 +0000 00:00:00.71 aio1 ansible.builtin.service ansible-hardening : Restart ssh 1
SKIPPED 08 Dec 2025 13:33:11 +0000 00:00:00.02 aio1 ansible.builtin.include_tasks ansible-hardening : Including contrib tasks 1
OK 08 Dec 2025 13:33:11 +0000 00:00:00.34 aio1 ansible.builtin.file ansible-hardening : Remove the temporary directory 2
CHANGED 08 Dec 2025 13:33:10 +0000 00:00:00.49 aio1 ansible.builtin.replace ansible-hardening : Manage motd in pam.d 1
OK 08 Dec 2025 13:33:08 +0000 00:00:01.34 aio1 ansible.builtin.file ansible-hardening : Private host key files must have mode 0600 or less 4
OK 08 Dec 2025 13:33:08 +0000 00:00:00.32 aio1 ansible.builtin.shell ansible-hardening : Determine existing private ssh host keys 2
OK 08 Dec 2025 13:33:06 +0000 00:00:01.25 aio1 ansible.builtin.file ansible-hardening : Public host key files must have mode 0644 or less 4
OK 08 Dec 2025 13:33:06 +0000 00:00:00.32 aio1 ansible.builtin.shell ansible-hardening : Determine existing public ssh host keys 2
OK 08 Dec 2025 13:33:05 +0000 00:00:00.62 aio1 ansible.builtin.service ansible-hardening : Ensure sshd is enabled at boot time 4
CHANGED 08 Dec 2025 13:33:05 +0000 00:00:00.38 aio1 ansible.builtin.blockinfile ansible-hardening : Adjust ssh server configuration based on STIG requirements 21
CHANGED 08 Dec 2025 13:32:59 +0000 00:00:05.82 aio1 ansible.builtin.lineinfile ansible-hardening : Drop options from SSH config that we manage 21
CHANGED 08 Dec 2025 13:32:58 +0000 00:00:00.76 aio1 ansible.builtin.copy ansible-hardening : Copy login warning banner 5
SKIPPED 08 Dec 2025 13:32:58 +0000 00:00:00.02 aio1 ansible.builtin.debug ansible-hardening : V-72313 - Change SNMP community strings from default. 4
OK 08 Dec 2025 13:32:57 +0000 00:00:00.35 aio1 ansible.builtin.command ansible-hardening : Check to see if snmpd config contains public/private 2
SKIPPED 08 Dec 2025 13:32:57 +0000 00:00:00.02 aio1 ansible.builtin.debug ansible-hardening : V-72305 - TFTP must be configured to operate in secure mode 4
SKIPPED 08 Dec 2025 13:32:57 +0000 00:00:00.02 aio1 ansible.builtin.command ansible-hardening : Check TFTP configuration mode 2
OK 08 Dec 2025 13:32:56 +0000 00:00:00.33 aio1 ansible.builtin.stat ansible-hardening : Check for TFTP server configuration file 2
SKIPPED 08 Dec 2025 13:32:56 +0000 00:00:00.02 aio1 ansible.builtin.lineinfile ansible-hardening : V-72297 - Prevent unrestricted mail relaying 4
OK 08 Dec 2025 13:32:55 +0000 00:00:00.32 aio1 ansible.builtin.stat ansible-hardening : Check for postfix configuration file 2
SKIPPED 08 Dec 2025 13:32:55 +0000 00:00:00.02 aio1 ansible.builtin.debug ansible-hardening : V-72295 - Network interfaces must not be in promiscuous mode. 4
OK 08 Dec 2025 13:32:55 +0000 00:00:00.32 aio1 ansible.builtin.shell ansible-hardening : Check for interfaces in promiscuous mode 2
OK 08 Dec 2025 13:32:54 +0000 00:00:00.05 aio1 ansible.builtin.debug ansible-hardening : V-72281 - For systems using DNS resolution, at least two name servers must be configured. 4
OK 08 Dec 2025 13:32:53 +0000 00:00:01.35 aio1 command ansible-hardening : Count nameserver entries in /etc/resolv.conf 3
SKIPPED 08 Dec 2025 13:32:53 +0000 00:00:00.03 aio1 ansible.builtin.command ansible-hardening : Limit new TCP connections to 25/minute and allow bursting to 100 4
SKIPPED 08 Dec 2025 13:32:53 +0000 00:00:00.02 aio1 ansible.builtin.service ansible-hardening : Ensure firewalld is running and enabled 4
OK 08 Dec 2025 13:32:52 +0000 00:00:00.36 aio1 ansible.builtin.command ansible-hardening : Check firewalld status 2
SKIPPED 08 Dec 2025 13:32:52 +0000 00:00:00.02 aio1 ansible.builtin.template ansible-hardening : V-72269 - Synchronize system clock (configuration file) 4
OK 08 Dec 2025 13:32:51 +0000 00:00:00.35 aio1 ansible.builtin.stat ansible-hardening : Check if chrony configuration file exists 2
SKIPPED 08 Dec 2025 13:32:51 +0000 00:00:00.02 aio1 ansible.builtin.service ansible-hardening : Start and enable chrony 4
CHANGED 08 Dec 2025 13:32:51 +0000 00:00:00.33 aio1 ansible.builtin.blockinfile ansible-hardening : V-72223 - Set 10 minute timeout on communication sessions 4
SKIPPED 08 Dec 2025 13:32:50 +0000 00:00:00.02 aio1 ansible.builtin.service ansible-hardening : Ensure ClamAV is running 3
SKIPPED 08 Dec 2025 13:32:50 +0000 00:00:00.02 aio1 ansible.builtin.command ansible-hardening : Update ClamAV database 3
OK 08 Dec 2025 13:32:50 +0000 00:00:00.34 aio1 ansible.builtin.shell ansible-hardening : Check if ClamAV update process is already running 2
SKIPPED 08 Dec 2025 13:32:49 +0000 00:00:00.02 aio1 ansible.builtin.lineinfile ansible-hardening : Allow automatic freshclam updates 3
SKIPPED 08 Dec 2025 13:32:49 +0000 00:00:00.02 aio1 ansible.builtin.file ansible-hardening : Ensure ClamAV socket directory exists 3
SKIPPED 08 Dec 2025 13:32:49 +0000 00:00:00.02 aio1 ansible.builtin.lineinfile ansible-hardening : Set ClamAV server type as socket 3
SKIPPED 08 Dec 2025 13:32:49 +0000 00:00:00.03 aio1 ansible.builtin.lineinfile ansible-hardening : Remove 'Example' line from ClamAV configuration files 3
OK 08 Dec 2025 13:32:48 +0000 00:00:00.33 aio1 ansible.builtin.stat ansible-hardening : Check if ClamAV is installed 2
OK 08 Dec 2025 13:32:48 +0000 00:00:00.05 aio1 ansible.builtin.debug ansible-hardening : V-72209 - The system must send rsyslog output to a log aggregation server. 4
OK 08 Dec 2025 13:32:48 +0000 00:00:00.33 aio1 ansible.builtin.command ansible-hardening : Check if syslog output is being sent to another server 2
OK 08 Dec 2025 13:32:47 +0000 00:00:00.05 aio1 ansible.builtin.debug ansible-hardening : Check for /tmp on mounted filesystem 4
OK 08 Dec 2025 13:32:47 +0000 00:00:00.05 aio1 ansible.builtin.debug ansible-hardening : Check for /var/log/audit on mounted filesystem 4
OK 08 Dec 2025 13:32:47 +0000 00:00:00.06 aio1 ansible.builtin.debug ansible-hardening : Check for /var on mounted filesystem 4
OK 08 Dec 2025 13:32:47 +0000 00:00:00.06 aio1 ansible.builtin.debug ansible-hardening : Check for /home on mounted filesystem 4
CHANGED 08 Dec 2025 13:32:45 +0000 00:00:01.41 aio1 ansible.builtin.systemd ansible-hardening : V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled 4
OK 08 Dec 2025 13:32:44 +0000 00:00:00.65 aio1 ansible.builtin.systemd ansible-hardening : V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled 4
SKIPPED 08 Dec 2025 13:32:44 +0000 00:00:00.02 aio1 ansible.builtin.service ansible-hardening : V-71985 - File system automounter must be disabled unless required. 4
OK 08 Dec 2025 13:32:44 +0000 00:00:00.34 aio1 ansible.builtin.command ansible-hardening : Check autofs service 2
SKIPPED 08 Dec 2025 13:32:43 +0000 00:00:00.03 aio1 ansible.builtin.debug ansible-hardening : V-72039 - All system device files must be correctly labeled to prevent unauthorized modification. 4
SKIPPED 08 Dec 2025 13:32:43 +0000 00:00:00.03 aio1 ansible.builtin.command ansible-hardening : Check for unlabeled device files 4
SKIPPED 08 Dec 2025 13:32:43 +0000 00:00:00.03 aio1 ansible.builtin.file ansible-hardening : Relabel files on next boot if SELinux mode changed 4
SKIPPED 08 Dec 2025 13:32:43 +0000 00:00:00.03 aio1 ansible.posix.selinux ansible-hardening : Ensure SELinux is in enforcing mode on the next reboot 4
CHANGED 08 Dec 2025 13:32:42 +0000 00:00:00.78 aio1 ansible.builtin.service ansible-hardening : Ensure AppArmor is running 3
OK 08 Dec 2025 13:32:41 +0000 00:00:00.66 aio1 ansible.builtin.service ansible-hardening : Ensure AppArmor is enabled at boot time 3
OK 08 Dec 2025 13:32:40 +0000 00:00:00.36 aio1 ansible.builtin.command ansible-hardening : Check if apparmor is running 3
OK 08 Dec 2025 13:32:40 +0000 00:00:00.37 aio1 ansible.builtin.command ansible-hardening : Check apparmor_status output 3
CHANGED 08 Dec 2025 13:32:39 +0000 00:00:00.74 aio1 ansible.builtin.copy ansible-hardening : V-77821 - Datagram Congestion Control Protocol (DCCP) kernel module must be disabled 4
SKIPPED 08 Dec 2025 13:32:39 +0000 00:00:00.02 aio1 ansible.builtin.debug ansible-hardening : Print a warning if FIPS isn't enabled 4
SKIPPED 08 Dec 2025 13:32:39 +0000 00:00:00.03 aio1 ansible.builtin.command ansible-hardening : Check if FIPS is enabled 2
SKIPPED 08 Dec 2025 13:32:38 +0000 00:00:00.02 aio1 ansible.builtin.service ansible-hardening : V-72057 - Kernel core dumps must be disabled unless needed. 4
OK 08 Dec 2025 13:32:38 +0000 00:00:00.34 aio1 ansible.builtin.command ansible-hardening : Check kdump service 4
CHANGED 08 Dec 2025 13:32:34 +0000 00:00:03.67 aio1 ansible.posix.sysctl ansible-hardening : Set sysctl configurations 13
CHANGED 08 Dec 2025 13:32:34 +0000 00:00:00.34 aio1 ansible.builtin.lineinfile ansible-hardening : V-71983 - USB mass storage must be disabled. 4
SKIPPED 08 Dec 2025 13:32:33 +0000 00:00:00.03 aio1 ansible.builtin.template ansible-hardening : Create a GDM keyfile for machine-wide settings 4
SKIPPED 08 Dec 2025 13:32:33 +0000 00:00:00.02 aio1 ansible.builtin.copy ansible-hardening : Create a GDM profile for displaying a login banner 4
SKIPPED 08 Dec 2025 13:32:33 +0000 00:00:00.02 aio1 ansible.builtin.template ansible-hardening : Prevent users from changing graphical session locking configurations 6
SKIPPED 08 Dec 2025 13:32:33 +0000 00:00:00.02 aio1 ansible.builtin.template ansible-hardening : Configure graphical session locking 6
SKIPPED 08 Dec 2025 13:32:32 +0000 00:00:00.03 aio1 ansible.builtin.file ansible-hardening : Create dconf directories 7
SKIPPED 08 Dec 2025 13:32:32 +0000 00:00:00.02 aio1 ansible.builtin.copy ansible-hardening : Create a user profile in dconf 6
OK 08 Dec 2025 13:32:32 +0000 00:00:00.33 aio1 ansible.builtin.stat ansible-hardening : Check for dconf profiles 2
SKIPPED 08 Dec 2025 13:32:32 +0000 00:00:00.02 aio1 ansible.builtin.lineinfile ansible-hardening : V-71955 - The operating system must not allow guest logon to the system. 4
SKIPPED 08 Dec 2025 13:32:31 +0000 00:00:00.02 aio1 ansible.builtin.lineinfile ansible-hardening : V-71953 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface 4
OK 08 Dec 2025 13:32:31 +0000 00:00:00.32 aio1 ansible.builtin.stat ansible-hardening : Check if gdm is installed and configured 1
SKIPPED 08 Dec 2025 13:32:31 +0000 00:00:00.03 aio1 ansible.builtin.file ansible-hardening : Set owner/group owner on /etc/cron.allow 5
OK 08 Dec 2025 13:32:30 +0000 00:00:00.33 aio1 ansible.builtin.stat ansible-hardening : Check if /etc/cron.allow exists 2
SKIPPED 08 Dec 2025 13:32:30 +0000 00:00:00.04 aio1 ansible.builtin.debug ansible-hardening : V-72047 - All world-writable directories must be group-owned by root, sys, bin, or an application group. 4
SKIPPED 08 Dec 2025 13:32:30 +0000 00:00:00.02 aio1 ansible.builtin.shell ansible-hardening : Find all world-writable directories 2
SKIPPED 08 Dec 2025 13:32:30 +0000 00:00:00.07 aio1 ansible.builtin.file ansible-hardening : Set proper owner, group owner, and permissions on home directories 6
SKIPPED 08 Dec 2025 13:32:29 +0000 00:00:00.03 aio1 ansible.builtin.debug ansible-hardening : V-72009 - All files and directories must have a valid group owner. 4
SKIPPED 08 Dec 2025 13:32:29 +0000 00:00:00.02 aio1 ansible.builtin.command ansible-hardening : Search for files/directories with an invalid group owner 2
SKIPPED 08 Dec 2025 13:32:29 +0000 00:00:00.03 aio1 ansible.builtin.debug ansible-hardening : V-72007 - All files and directories must have a valid owner. 4
SKIPPED 08 Dec 2025 13:32:29 +0000 00:00:00.02 aio1 ansible.builtin.command ansible-hardening : Search for files/directories with an invalid owner 2
SKIPPED 08 Dec 2025 13:32:28 +0000 00:00:00.02 aio1 shell ansible-hardening : V-71849 - Reset file permissions/ownership to vendor values 5
SKIPPED 08 Dec 2025 13:32:28 +0000 00:00:00.03 aio1 ansible.builtin.shell ansible-hardening : V-71849 - Get packages with incorrect file permissions or ownership 4
SKIPPED 08 Dec 2025 13:32:28 +0000 00:00:00.03 aio1 ansible.builtin.file ansible-hardening : Remove .shosts or shosts.equiv files 5
SKIPPED 08 Dec 2025 13:32:28 +0000 00:00:00.03 aio1 ansible.builtin.async_status ansible-hardening : Ensure .shosts find has finished 5
SKIPPED 08 Dec 2025 13:32:28 +0000 00:00:00.02 aio1 ansible.builtin.debug ansible-hardening : V-72275 - Display date/time of last logon after logon 4
OK 08 Dec 2025 13:32:27 +0000 00:00:00.33 aio1 ansible.builtin.command ansible-hardening : Check for pam_lastlog in PAM configuration 2
SKIPPED 08 Dec 2025 13:32:27 +0000 00:00:00.04 aio1 ansible.builtin.blockinfile ansible-hardening : V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types 4
SKIPPED 08 Dec 2025 13:32:27 +0000 00:00:00.02 aio1 ansible.builtin.lineinfile ansible-hardening : Set CLASS for grub file 6
SKIPPED 08 Dec 2025 13:32:26 +0000 00:00:00.02 aio1 ansible.builtin.blockinfile ansible-hardening : Define password options for grub 6
OK 08 Dec 2025 13:32:26 +0000 00:00:00.33 aio1 ansible.builtin.stat ansible-hardening : Check if GRUB2 custom file exists 2
OK 08 Dec 2025 13:32:25 +0000 00:00:00.31 aio1 ansible.builtin.stat ansible-hardening : Check if sssd.conf exists 2
SKIPPED 08 Dec 2025 13:32:25 +0000 00:00:00.03 aio1 debug ansible-hardening : V-71949 - Users must re-authenticate for privilege escalation 5
OK 08 Dec 2025 13:32:25 +0000 00:00:00.34 aio1 ansible.builtin.shell ansible-hardening : Check for '!authenticate' in sudoers files 4
OK 08 Dec 2025 13:32:25 +0000 00:00:00.05 aio1 debug ansible-hardening : V-71947 - Users must provide a password for privilege escalation 5
OK 08 Dec 2025 13:32:24 +0000 00:00:00.35 aio1 ansible.builtin.shell ansible-hardening : Check for 'nopasswd' in sudoers files 4
SKIPPED 08 Dec 2025 13:32:24 +0000 00:00:00.03 aio1 ansible.builtin.blockinfile ansible-hardening : Lock accounts after three failed login attempts a 15 minute period 5
SKIPPED 08 Dec 2025 13:32:24 +0000 00:00:00.06 aio1 ansible.builtin.lineinfile ansible-hardening : Prevent users with blank or null passwords from authenticating (Red Hat) 4