---

# this will just display the list of consoles. The site will need to confirm the allowed consoles are correct and change manually if needed.
- name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console"
  block:
      - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Check if securetty file exists"
        stat:
            path: /etc/securetty
        register: rhel9cis_securetty_check

      - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Capture consoles"
        command: cat /etc/securetty
        changed_when: false
        register: rhel_09_5_6_audit
        when: rhel9cis_securetty_check.stat.exists

      - name: "5.6 | L1 | AUDIT |Ensure root login is restricted to system console | Display Console"
        debug:
            msg:
                - "These are the consoles with root login access, please review:"
                - "{{ rhel_09_5_6_audit.stdout_lines }}"
        when: rhel9cis_securetty_check.stat.exists

      - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Display that no securetty file exists"
        debug:
            msg:
                - "There is no /etc/securetty file, this has been removed by default in RHEL9"
        when: not rhel9cis_securetty_check.stat.exists
  when:
      - rhel9cis_rule_5_6
  tags:
      - level1-server
      - level1-workstation
      - audit
      - rule_5.6