39 lines
1.0 KiB
YAML
39 lines
1.0 KiB
YAML
---
|
|
# Root Account Restrictions
|
|
|
|
- name: Disable root SSH login
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^PermitRootLogin'
|
|
line: 'PermitRootLogin no'
|
|
state: present
|
|
validate: '/usr/sbin/sshd -t -f %s'
|
|
when: disable_root_login
|
|
notify: restart sshd
|
|
|
|
- name: Lock root account
|
|
ansible.builtin.user:
|
|
name: root
|
|
password_lock: yes
|
|
when: lock_root_account
|
|
|
|
- name: Ensure root group is GID 0 (CIS 5.4.5)
|
|
ansible.builtin.group:
|
|
name: root
|
|
gid: 0
|
|
state: present
|
|
|
|
- name: Verify root is the only UID 0 account
|
|
ansible.builtin.shell: |
|
|
awk -F: '($3 == 0) { print $1 }' /etc/passwd
|
|
register: uid_zero_accounts
|
|
changed_when: false
|
|
failed_when: uid_zero_accounts.stdout_lines | length > 1
|
|
|
|
- name: Display root restrictions status
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "Root SSH login: {{ 'DISABLED' if disable_root_login else 'ENABLED' }}"
|
|
- "Root account: {{ 'LOCKED' if lock_root_account else 'UNLOCKED' }}"
|
|
- "UID 0 accounts: {{ uid_zero_accounts.stdout_lines | join(', ') }}"
|