RHEL9-CIS/tasks/section_5/cis_5.6.yml

---

# this will just display the list of consoles. The site will need to confirm the allowed consoles are correct and change manually if needed.
- name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console"
  block:
      - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Check if securetty file exists"
        stat:
            path: /etc/securetty
        register: rhel9cis_securetty_check

      - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Capture consoles"
        command: cat /etc/securetty
        changed_when: false
        register: rhel_09_5_6_audit
        when: rhel9cis_securetty_check.stat.exists

      - name: "5.6 | L1 | AUDIT |Ensure root login is restricted to system console | Display Console"
        debug:
            msg:
                - "These are the consoles with root login access, please review:"
                - "{{ rhel_09_5_6_audit.stdout_lines }}"
        when: rhel9cis_securetty_check.stat.exists

      - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Display that no securetty file exists"
        debug:
            msg:
                - "There is no /etc/securetty file, this has been removed by default in RHEL9"
        when: not rhel9cis_securetty_check.stat.exists
  when:
      - rhel9cis_rule_5_6
  tags:
      - level1-server
      - level1-workstation
      - audit
      - rule_5.6
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`---`

			`# this will just display the list of consoles. The site will need to confirm the allowed consoles are correct and change manually if needed.`
			`- name: "5.6 \| L1 \| AUDIT \| Ensure root login is restricted to system console"`
			`block:`
			`- name: "5.6 \| L1 \| AUDIT \| Ensure root login is restricted to system console \| Check if securetty file exists"`
			`stat:`
			`path: /etc/securetty`
			`register: rhel9cis_securetty_check`

			`- name: "5.6 \| L1 \| AUDIT \| Ensure root login is restricted to system console \| Capture consoles"`
			`command: cat /etc/securetty`
			`changed_when: false`
			`register: rhel_09_5_6_audit`
			`when: rhel9cis_securetty_check.stat.exists`

			`- name: "5.6 \| L1 \| AUDIT \|Ensure root login is restricted to system console \| Display Console"`
			`debug:`
			`msg:`
			`- "These are the consoles with root login access, please review:"`
			`- "{{ rhel_09_5_6_audit.stdout_lines }}"`
			`when: rhel9cis_securetty_check.stat.exists`

			`- name: "5.6 \| L1 \| AUDIT \| Ensure root login is restricted to system console \| Display that no securetty file exists"`
			`debug:`
			`msg:`
			`- "There is no /etc/securetty file, this has been removed by default in RHEL9"`
			`when: not rhel9cis_securetty_check.stat.exists`
			`when:`
			`- rhel9cis_rule_5_6`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- audit`
			`- rule_5.6`