← Back to Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide

V-282494

CAT II (Medium)

TOSS 5 must not permit direct logins to the root account using remote access via SSH.

Rule ID

SV-282494r1200462_rule

STIG

Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-004045

Discussion

Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.

Check Content

Verify TOSS 5 remote access using SSH prevents users from logging on directly as "root" using the following command:

$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*permitrootlogin'

PermitRootLogin no

If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.

Fix Text

Configure the system to prevent SSH users from logging on directly as "root" by adding or modifying the following line in "/etc/ssh/sshd_config":

 PermitRootLogin no

Restart the SSH daemon for the settings to take effect:

$ sudo systemctl restart sshd.service