From 7c54ee6f7f7bb1ab3ce75b34521db7dfd68d429a Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Fri, 4 Dec 2015 16:50:56 +0200
Subject: [PATCH] - Add lock_root tasks file.

---
 handlers/main.yml   |  5 +++++
 tasks/lock_root.yml | 14 ++++++++++++++
 tasks/main.yml      |  3 +++
 3 files changed, 22 insertions(+)
 create mode 100644 tasks/lock_root.yml

diff --git a/handlers/main.yml b/handlers/main.yml
index 21f7c65..3697637 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -13,3 +13,8 @@
   service:
     name: syslogd
     state: restarted
+
+- name: Restart ssh
+  service:
+    name: ssh
+    state: restarted
diff --git a/tasks/lock_root.yml b/tasks/lock_root.yml
new file mode 100644
index 0000000..601aaef
--- /dev/null
+++ b/tasks/lock_root.yml
@@ -0,0 +1,14 @@
+---
+
+- name: Disable root account
+  user:
+    name: root
+    expires: 1
+
+- name: Disable root SSH login
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    line: 'PermitRootLogin no'
+    regexp: '^PermitRootLogin '
+  notify:
+  - Restart ssh
diff --git a/tasks/main.yml b/tasks/main.yml
index ef3fd95..5573651 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -45,3 +45,6 @@
 
 - include: unattended_upgrades.yml
   when: unattended_upgrades|default(True) and ansible_os_family == 'Debian'
+
+- include: lock_root.yml
+  when: lock_root|default(True)
-- 
GitLab