Back

Enable or disable root login via Secure Shell, as appropriate.


CONTROL ID
05574
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Configure the system account settings and the permission settings in accordance with the organizational standards., CC ID: 01538

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • disable the ability to login directly as root (PermitRootLogin no) (Control: ISM-0484; Revision: 6; Bullet 6, Australian Government Information Security Manual, June 2023)
  • disable the ability to login directly as root (PermitRootLogin no) (Control: ISM-0484; Revision: 6; Bullet 6, Australian Government Information Security Manual, September 2023)
  • The organization should configure Secure Shell to disable the ability to login directly as root by setting the configuration to "permitrootlogin no". (Control: 0484, Australian Government Information Security Manual: Controls)
  • Ensure SSH root login is disabled Description: The `PermitRootLogin` parameter specifies if the root user can log in using ssh. The default is no. Rationale: Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via `sudo`… (5.3.12, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure SSH root login is disabled Description: The `PermitRootLogin` parameter specifies if the root user can log in using ssh. The default is no. Rationale: Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via `sudo`… (5.3.12, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Title: Disable SSH Root Login Description: The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. Rationale: Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo … (Rule: xccdf_org.cisecurity.benchmarks_rule_6.2.8_Disable_SSH_Root_Login Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_6.2.8.1_sshd.permitrootlogin, The Center for Internet Security CentOS 6 Level 1 Benchmark, 1.0.0)
  • Title: Disable SSH Root Login Description: The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. Rationale: Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sud… (Rule:xccdf_org.cisecurity.benchmarks_rule_6.2.8_Disable_SSH_Root_Login Artifact Expression:xccdf_org.cisecurity.benchmarks_ae_6.2.8.1_sshd.permitrootlogin, The Center for Internet Security Red Hat Enterprise Linux 6 Level 1 Benchmark, 1.2.0)
  • Title: Restrict root Login to System Console Description: The file /etc/securetty contains a list of valid terminals that may be logged in directly as root. Rationale: Since the system console has special properties to handle emergency situations, it is important to ensure that the console is … (Rule:xccdf_org.cisecurity.benchmarks_rule_6.4_Restrict_root_Login_to_System_Console, The Center for Internet Security Red Hat Enterprise Linux 6 Level 1 Benchmark, 1.2.0)
  • Title: Disable SSH Root Login Description: The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. Rationale: Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sud… (Rule:xccdf_org.cisecurity.benchmarks_rule_6.2.8_Disable_SSH_Root_Login Artifact Expression:xccdf_org.cisecurity.benchmarks_ae_6.2.8.1_sshd.permitrootlogin, The Center for Internet Security Red Hat Enterprise Linux 6 Level 2 Benchmark, 1.2.0)
  • Title: Restrict root Login to System Console Description: The file /etc/securetty contains a list of valid terminals that may be logged in directly as root. Rationale: Since the system console has special properties to handle emergency situations, it is important to ensure that the console is … (Rule:xccdf_org.cisecurity.benchmarks_rule_6.4_Restrict_root_Login_to_System_Console, The Center for Internet Security Red Hat Enterprise Linux 6 Level 2 Benchmark, 1.2.0)
  • Title: Disable SSH Root Login Description: The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. Rationale: Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root v… (Rule: xccdf_org.cisecurity.benchmarks_rule_9.3.8_Disable_SSH_Root_Login Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_9.3.8.1_sshd.permitrootlogin, The Center for Internet Security Ubuntu 12.04 LTS Level 1 Benchmark, v1.0.0)
  • Title: Disable SSH Root Login Description: The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. Rationale: Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root v… (Rule: xccdf_org.cisecurity.benchmarks_rule_9.3.8_Disable_SSH_Root_Login Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_9.3.8.1_sshd.permitrootlogin, The Center for Internet Security Ubuntu 12.04 LTS Level 2 Benchmark, v1.0.0)
  • Ensure SSH root login is disabled Description: The `PermitRootLogin` parameter specifies if the root user can log in using ssh. The default is no. Rationale: Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via `sudo`… (5.2.10, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
  • Ensure SSH root login is disabled Description: The `PermitRootLogin` parameter specifies if the root user can log in using ssh. The default is no. Rationale: Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via `sudo`… (5.2.10, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
  • Root logins should be restricted to the console or not as appropriate. Technical Mechanisms: /etc/default/login Parameters: restricted/not restricted References: 10.8.10.5.2.6 (4) (CCE-5676-2, Common Configuration Enumeration List, Combined XML: AIX 5.3, 5.20130214)
  • Remote root logins via SSH should be allowed or not as appropriate. Technical Mechanisms: via /etc/ssh/sshd_config Parameters: allowed/not allowed References: 10.8.10.5.2.6 (4) (CCE-5751-3, Common Configuration Enumeration List, Combined XML: AIX 5.3, 5.20130214)
  • Root logins should be restricted to the console or not as appropriate. Technical Mechanisms: Parameters: restricted/not restricted References: 10.8.10.5.2.6 (4) (CCE-5764-6, Common Configuration Enumeration List, Combined XML: HP-UX 11.23, 5.20130214)
  • Root logins should be allowed or not as appropriate from SSH consoles Technical Mechanisms: Parameters: allowed/not allowed References: 10.8.10.5.2.6 (4) (CCE-5940-2, Common Configuration Enumeration List, Combined XML: HP-UX 11.23, 5.20130214)
  • Root logins should be restricted to the console or not as appropriate. Technical Mechanisms: via /etc/securetty Parameters: restricted/not restricted References: 10.8.10.5.2.6 (4) (CCE-8432-7, Common Configuration Enumeration List, Combined XML: Red Hat Enterprise Linux 4, 5.20130214)
  • The sshd service should be enabled or disabled as appropriate. Technical Mechanisms: via chkconfig Parameters: enabled / disabled References: Section: 3.5.1.1, Value: disabled CCE-U-203 (CCE-4268-9, Common Configuration Enumeration List, Combined XML: Red Hat Enterprise Linux 5, 5.20130214)
  • Root login via SSH should be enabled or disabled as appropriate Technical Mechanisms: via /etc/ssh/sshd_config Parameters: enabled / disabled References: Section: 3.5.2.6, Value: disabled (CCE-4387-7, Common Configuration Enumeration List, Combined XML: Red Hat Enterprise Linux 5, 5.20130214)
  • Root login via SSH should be enabled or disabled as appropriate. Technical Mechanisms: /etc/ssh/sshd_config Parameters: string yes/no References: Section: 6.3,Value:no (CCE-4713-4, Common Configuration Enumeration List, Combined XML: Sun Solaris 10, 5.20130214)
  • The ability to login as root directly should be configured correctly. Technical Mechanisms: /etc/default/login Parameters: enabled/disabled References: Section: 6.1,Value:disabled CCE-U-15 (CCE-4458-6, Common Configuration Enumeration List, Combined XML: Sun Solaris 10, 5.20130214)
  • Root logins should be restricted to the console or not as appropriate. Technical Mechanisms: via /etc/default/login Parameters: restricted/not restricted References: 10.8.10.5.2.6 (4) (CCE-5793-5, Common Configuration Enumeration List, Combined XML: Sun Solaris 8, 5.20130214)
  • Root logins should be allowed or not as appropriate from SSH consoles Technical Mechanisms: Parameters: allowed/not allowed References: 10.8.10.5.2.6 (4) (CCE-6844-5, Common Configuration Enumeration List, Combined XML: Sun Solaris 8, 5.20130214)
  • Root logins should be restricted to the console or not as appropriate. Technical Mechanisms: via /etc/default/login Parameters: restricted/not restricted References: 10.8.10.5.2.6 (4) (CCE-7232-2, Common Configuration Enumeration List, Combined XML: Sun Solaris 9, 5.20130214)
  • Root logins should be allowed or not as appropriate from SSH consoles Technical Mechanisms: Parameters: allowed/not allowed References: 10.8.10.5.2.6 (4) (CCE-7665-3, Common Configuration Enumeration List, Combined XML: Sun Solaris 9, 5.20130214)