REC-417 Disable root login by changing root shell

[ta/infra-ansible.git] / roles / ops-hardening / tasks / main.yaml

diff --git a/roles/ops-hardening/tasks/main.yaml b/roles/ops-hardening/tasks/main.yaml
index d56e893..71218a0 100644 (file)
--- a/roles/ops-hardening/tasks/main.yaml
+++ b/roles/ops-hardening/tasks/main.yaml
@@ -156,6 +156,16 @@
 - name: "Direct root Logins Not Allowed"
   shell: echo > /etc/securetty
 
+- name: Change 'root' shell to nologin
+  user:
+    name: root
+    shell: /sbin/nologin
+
+- name: Lock 'root' password
+  user:
+    name: root
+    password: '!!'
+
 #
 # Configure IPv6
 #