Rule ID
SV-269376r1050259_rule
Version
V1R6
CCIs
Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system. The root account is a known default username, so should not allow direct login as half of the username/password combination is known, making it vulnerable to brute-force password guessing attacks.
Verify AlmaLinux OS 9 prevents users from logging on directly as "root" over SSH with the following command: $ sshd -T |grep -I permitrootlogin permitrootlogin no If the "PermitRootLogin" keyword is set to "yes" or "without-password", this is a finding.
To configure the system to prevent users from logging on directly as root over SSH, add or modify the following line in "/etc/ssh/sshd_config": PermitRootLogin no Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file: $ echo "PermitRootLogin no" > /etc/ssh/sshd_config.d/root.conf Restart the SSH daemon for the settings to take effect: $ systemctl restart sshd.service