Back

Disable root logons or limit the logons to the system console.


CONTROL ID
01573
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Configure accounts with administrative privilege., CC ID: 07033

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • console access. (Security Control: 0487; Revision: 3; Bullet 5, Australian Government Information Security Manual, March 2021)
  • console access. (Control: ISM-0487; Revision: 4; Bullet 5, Australian Government Information Security Manual, June 2023)
  • console access. (Control: ISM-0487; Revision: 4; Bullet 5, Australian Government Information Security Manual, September 2023)
  • The organization should disable console Access, if logins absent a passphrase for automated purposes are used for remote access to Secure Shell. (Control: 0487 Bullet 5, Australian Government Information Security Manual: Controls)
  • Root (System Administrator account) is the most powerful account on the Mac OS X system. The root account should be disabled, which it is by default. If direct root login is enabled, the security logs cannot identify which Administrator logged in. (Pg 46, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • This setting enables or disables the Administrator account. For Enterprise Client environments, the Accounts: Administrator Account Status setting should be set to Not Defined. For Specialized Security - Limited Functionality environments, this setting should be Disabled. (Pg 29, Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings)
  • Ensure root login is restricted to system console Description: The file `/etc/securetty` contains a list of valid terminals that may be logged in directly as root. Rationale: Since the system console has special properties to handle emergency situations, it is important to ensure that the console is… (5.6, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure root login is restricted to system console Description: The file `/etc/securetty` contains a list of valid terminals that may be logged in directly as root. Rationale: Since the system console has special properties to handle emergency situations, it is important to ensure that the console is… (5.6, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Restrict root logins to system console. (§ 7.8, The Center for Internet Security AIX Benchmark, 1.0.1)
  • Restrict root logins to system console. (§ 6.8, The Center for Internet Security HP-UX Benchmark, 1.4.2)
  • By default, the root account is disabled and has a blank password upon installation of the operating system. The root account should remain disabled. A password can be set on the root account to secure the root account better and prevent other Administrators from enabling the account. (§ 2.6, The Center for Internet Security Mac OS X Tiger Level I Security Benchmark, 1)
  • Restrict root logins to system console. (§ 7.7, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.0.5)
  • Restrict root logins to system console. (§ 7.7, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.1.1)
  • Restrict root logins to system console. (§ 7.8, The Center for Internet Security Slackware Linux Benchmark, 1.1)
  • Restrict root logins to system console. (§ 6.14, The Center for Internet Security Solaris 10 Benchmark, 2.1.2)
  • Restrict root logins to system console. (§ 7.11, The Center for Internet Security Solaris Benchmark, 1.5.0)
  • Root logins to system console. (§ 7.7, The Center for Internet Security SuSE Linux Enterprise Server Benchmark, 2)
  • The organization must restrict root (default "Administrator" for Windows) logins to system console. It also states that by setting the "Administrator Account Status" to disabled, the account becomes unavailable. Regardless of this setting, the administrator account remains enabled when booting in "s… (§ 3.2.1.1, The Center for Internet Security Windows XP Professional SP1/SP2 Benchmark, 2.01)
  • Ensure root login is restricted to system console Description: The file `/etc/securetty` contains a list of valid terminals that may be logged in directly as root. Rationale: Since the system console has special properties to handle emergency situations, it is important to ensure that the console is… (5.6, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
  • Ensure root login is restricted to system console Description: The file `/etc/securetty` contains a list of valid terminals that may be logged in directly as root. Rationale: Since the system console has special properties to handle emergency situations, it is important to ensure that the console is… (5.6, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
  • Table F-6: For Solaris, the organization must configure the system to restrict root logins to the system console. Table F-7: For HP-UX, the organization must configure the system to restrict root logins to the system console. Table F-8: For RedHat Linux, the organization must configure the system to… (Table F-6, Table F-7, Table F-8, CMS Business Partners Systems Security Manual, Rev. 10)
  • The system administrator should ensure root can only log on as root from the system console. Logging on directly as root should prevent the system from logging which user has gained root access. Root should only log on at the system console to perform system maintenance or in an emergency situation. (§ 3.3, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
  • For Specialized Security - Limited Functionality systems, this setting should be Enabled. For the other Windows XP environments, this setting is Not Defined. (§ 6.2.3, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1)
  • This setting sets the status of the Administrator account during normal operations. Even when this account is disabled, the Administrator account is enabled if the computer is booted in safe mode. The Accounts: Administrator Account Status setting is Not Defined for Enterprise Client environments an… (Pg 42, NSA Guide to Security Microsoft Windows XP)
  • Prevent root logins to system console. Setting the CONSOLE variable to /dev/null prevents root logins from the console. Administrators will have to log into the system as themselves and then 'su' to root. If the system is in single user mode, the user will be allowed to log in as root. (§ 7.11, NSA Guide to the Secure Configuration of Solaris 9, Version 1.0)