AlmaLinux OS 9 must not permit direct logons to the root account using remote access via SSH.

An XCCDF Rule

Description

Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system. The root account is a known default username, so should not allow direct login as half of the username/password combination is known, making it vulnerable to brute-force password guessing attacks.

ID: SV-269376r1050259_rule
Version: ALMA-09-034780
Severity: Medium
References: CCI-004045
Updated: about 2 months ago

Remediation Templates

To configure the system to prevent users from logging on directly as root over SSH, add or modify the following line in "/etc/ssh/sshd_config":

PermitRootLogin no

Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file:
$ echo "PermitRootLogin no" > /etc/ssh/sshd_config.d/root.conf

Restart the SSH daemon for the settings to take effect:

$ systemctl restart sshd.service

AlmaLinux OS 9 must not permit direct logons to the root account using remote access via SSH.

Description

Remediation Templates

A Manual Procedure