forked from ansible-lockdown/RHEL9-CIS
35 lines
1.4 KiB
YAML
35 lines
1.4 KiB
YAML
---
|
|
|
|
# this will just display the list of consoles. The site will need to confirm the allowed consoles are correct and change manually if needed.
|
|
- name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console"
|
|
block:
|
|
- name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Check if securetty file exists"
|
|
stat:
|
|
path: /etc/securetty
|
|
register: rhel9cis_securetty_check
|
|
|
|
- name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Capture consoles"
|
|
command: cat /etc/securetty
|
|
changed_when: false
|
|
register: rhel_09_5_6_audit
|
|
when: rhel9cis_securetty_check.stat.exists
|
|
|
|
- name: "5.6 | L1 | AUDIT |Ensure root login is restricted to system console | Display Console"
|
|
debug:
|
|
msg:
|
|
- "These are the consoles with root login access, please review:"
|
|
- "{{ rhel_09_5_6_audit.stdout_lines }}"
|
|
when: rhel9cis_securetty_check.stat.exists
|
|
|
|
- name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Display that no securetty file exists"
|
|
debug:
|
|
msg:
|
|
- "There is no /etc/securetty file, this has been removed by default in RHEL9"
|
|
when: not rhel9cis_securetty_check.stat.exists
|
|
when:
|
|
- rhel9cis_rule_5_6
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- audit
|
|
- rule_5.6
|