From 8608fb528ce17c3088db9a47ae4a6d8a4bd9190a Mon Sep 17 00:00:00 2001
From: Riku Rouvila <riku.rouvila@gmail.com>
Date: Mon, 22 Jan 2024 15:55:08 +0200
Subject: [PATCH] [OCRVS-6350] Disable root (#849)

* disable root login completely

* stop users from using 'su'

* only disable root login if ansible user being used is not root
---
 infrastructure/server-setup/tasks/users.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/infrastructure/server-setup/tasks/users.yml b/infrastructure/server-setup/tasks/users.yml
index b7cf21138..6c39f3abb 100644
--- a/infrastructure/server-setup/tasks/users.yml
+++ b/infrastructure/server-setup/tasks/users.yml
@@ -4,10 +4,10 @@
     state: '{{ item.state }}'
   with_items: '{{ users }}'
 
-- name: Grant passwordless sudo to the users
+- name: Grant passwordless sudo to the users, but prevent usage of 'su'
   ansible.builtin.lineinfile:
     path: /etc/sudoers.d/{{ item.name }}
-    line: '{{ item.name }} ALL=(ALL) NOPASSWD:ALL'
+    line: '{{ item.name }} ALL=(ALL) NOPASSWD:ALL, !/usr/bin/su'
     validate: 'visudo -cf %s'
     create: yes
   become: yes
@@ -122,6 +122,12 @@
     state: present
   when: ansible_user != "root"
 
+- name: Disable root account login completely
+  ansible.builtin.command:
+    cmd: passwd -l root
+  become: yes
+  when: ansible_user != "root"
+
 - name: Enable KbdInteractiveAuthentication in SSHD Config
   lineinfile:
     path: /etc/ssh/sshd_config