A lot of these can be done in the base image. The rest can be done with Ansible. The "not needed" comment below refers to virt-sysprep which is a bit awkward at the moment.
Most of this can be done manually in the base image.
'utmp' : Remove the utmp file. Not needed.
'ssh-hostkeys' : Remove the SSH host keys in the guest. The SSH host keys are regenerated (differently) next time the guest is booted. Not needed.
'tmp-files' : Remove temporary files. This removes temporary files under /tmp and /var/tmp. Not needed.
'lvm-uuids' : Change LVM2 PV and VG UUIDs. On Linux guests that have LVM2 physical volumes (PVs) or volume groups (VGs), new random UUIDs are generated and assigned to those PVs and VGs. Not needed.
'machine-id' : Remove the local machine ID. The machine ID is usually generated from a random source during system installation and stays constant for all subsequent boots. Optionally, for stateless systems it is generated during runtime at boot if it is found to be empty. Not needed.
'bash-history' : Remove the bash history of user "root" and any other users who have a .bash_history file in their home directory. Currently this only looks in /root and /home/* for home directories, so users with home directories in other locations won't have the bash history removed. Not needed.
'logfiles' : Remove many log files from the guest. On Linux the following files are removed: /etc/Pegasus/.cnf, /etc/Pegasus/.crt, /etc/Pegasus/.csr, /etc/Pegasus/.pem, /etc/Pegasus/.srl, /root/anaconda-ks.cfg, /root/anaconda-post.log, /root/initial-setup-ks.cfg, /root/install.log, /root/install.log.syslog, /root/original-ks.cfg, /var/cache/fontconfig/, /var/cache/gdm/, /var/cache/man/, /var/lib/AccountService/users/, /var/lib/fprint/, /var/lib/logrotate.status, /var/log/.log, /var/log/BackupPC/LOG, /var/log/ConsoleKit/, /var/log/anaconda.syslog, /var/log/anaconda/, /var/log/apache2/_log, /var/log/apache2/_log-, /var/log/apt/, /var/log/aptitude, /var/log/audit/, /var/log/btmp, /var/log/ceph/.log, /var/log/chrony/.log, /var/log/cron, /var/log/cups/_log, /var/log/debug, /var/log/dmesg, /var/log/exim4/, /var/log/faillog, /var/log/firewalld, /var/log/gdm/, /var/log/glusterfs/glusterd.vol.log, /var/log/glusterfs/glusterfs.log, /var/log/grubby, /var/log/httpd/log, /var/log/installer/, /var/log/jetty/jetty-console.log, /var/log/journal/, /var/log/lastlog, /var/log/libvirt/libvirtd.log, /var/log/libvirt/libxl/.log, /var/log/libvirt/lxc/.log, /var/log/libvirt/qemu/.log, /var/log/libvirt/uml/.log, /var/log/lightdm/, /var/log/mail/, /var/log/maillog, /var/log/messages, /var/log/ntp, /var/log/ntpstats/, /var/log/ppp/connect-errors, /var/log/rhsm/, /var/log/sa/, /var/log/secure, /var/log/setroubleshoot/.log, /var/log/spooler, /var/log/squid/.log, /var/log/syslog, /var/log/tallylog, /var/log/tuned/tuned.log, /var/log/wtmp, /var/log/xferlog*, /var/named/data/named.run . Not needed.
'backup-files' : Remove editor backup files from the guest. The following files are removed from anywhere in the guest filesystem: .bak, ~ . On Linux and Unix operating systems, only the following filesystems will be examined: /etc, /root, /srv, /tmp, /var. Not needed.
'passwd-backups' : Remove /etc/passwd- and similar backup files. On Linux the following files are removed: /etc/group-, /etc/gshadow-, /etc/passwd-, /etc/shadow-, /etc/subgid-, /etc/subuid- . Not needed.
A lot of these can be done in the base image. The rest can be done with Ansible. The "not needed" comment below refers to virt-sysprep which is a bit awkward at the moment.
Most of this can be done manually in the base image.