[OCRVS-6350] Disable root (#849)

* disable root login completely * stop users from using 'su' * only disable root login if ansible user being used is not root
opencrvs · Jan 22, 2024 · 8608fb5 · 8608fb5
1 parent ce29cb2
commit 8608fb5
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/infrastructure/server-setup/tasks/users.yml b/infrastructure/server-setup/tasks/users.yml
@@ -4,10 +4,10 @@
     state: '{{ item.state }}'
   with_items: '{{ users }}'
 
-- name: Grant passwordless sudo to the users
+- name: Grant passwordless sudo to the users, but prevent usage of 'su'
   ansible.builtin.lineinfile:
     path: /etc/sudoers.d/{{ item.name }}
-    line: '{{ item.name }} ALL=(ALL) NOPASSWD:ALL'
+    line: '{{ item.name }} ALL=(ALL) NOPASSWD:ALL, !/usr/bin/su'
     validate: 'visudo -cf %s'
     create: yes
   become: yes
@@ -122,6 +122,12 @@
     state: present
   when: ansible_user != "root"
 
+- name: Disable root account login completely
+  ansible.builtin.command:
+    cmd: passwd -l root
+  become: yes
+  when: ansible_user != "root"
+
 - name: Enable KbdInteractiveAuthentication in SSHD Config
   lineinfile:
     path: /etc/ssh/sshd_config