Direct root Logins Not Allowed
An XCCDF Rule
Description
To further limit access to the root
account, administrators
can disable root logins at the console by editing the /etc/securetty
file.
This file lists all devices the root user is allowed to login to. If the file does
not exist at all, the root user can login through any communication device on the
system, whether via the console or via a raw network interface. This is dangerous
as user can login to the system as root via Telnet, which sends the password in
plain text over the network. By default, Anolis OS 8's
/etc/securetty
file only allows the root user to login at the console
physically attached to the system. To prevent root from logging in, remove the
contents of this file. To prevent direct root logins, remove the contents of this
file by typing the following command:
$ sudo echo > /etc/securetty
warning alert: Warning
/etc/securetty
file existence and its content.
If you need to restrict user access using the /etc/securetty
file, make sure
the pam_securetty.so
PAM module is properly enabled in relevant PAM files.Rationale
Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems.
- ID
- xccdf_org.ssgproject.content_rule_no_direct_root_logins
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Direct root Logins Not Allowed
copy:
dest: /etc/securetty
content: ''
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
echo > /etc/securetty
else