AlmaLinux OS 9 must not permit direct logons to the root account using remote access via SSH.

STIG ID: ALMA-09-034780  |  SRG: SRG-OS-000109-GPOS-00056 |  Severity: medium |  CCI: CCI-004045 |  Vulnerability Id: V-269376

Vulnerability Discussion

Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root.

In addition, logging in with a user-specific account provides individual accountability of actions performed on the system.

The root account is a known default username, so should not allow direct login as half of the username/password combination is known, making it vulnerable to brute-force password guessing attacks.

Check

Verify AlmaLinux OS 9 prevents users from logging on directly as "root" over SSH with the following command:

$ sshd -T |grep -I permitrootlogin

permitrootlogin no

If the "PermitRootLogin" keyword is set to "yes" or "without-password", this is a finding.

Fix

To configure the system to prevent users from logging on directly as root over SSH, add or modify the following line in "/etc/ssh/sshd_config":

PermitRootLogin no

Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file:

$ echo "PermitRootLogin no" > /etc/ssh/sshd_config.d/root.conf

Restart the SSH daemon for the settings to take effect:

$ systemctl restart sshd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.