OL 9 must not permit direct logons to the root account using remote access via SSH.

STIG ID: OL09-00-002345  |  SRG: SRG-OS-000109-GPOS-00056 |  Severity: medium |  CCI: CCI-004045 |  Vulnerability Id: V-271708

Vulnerability Discussion

Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.

Check

Verify that OL 9 remote access using SSH prevents users from logging on directly as "root" with the following command:

$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*permitrootlogin'
PermitRootLogin no

If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.

Fix

Configure OL 9 to prevent SSH users from logging on directly as root by adding or modifying the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d".

PermitRootLogin no

Restart the SSH daemon for the settings to take effect:

$ sudo systemctl restart sshd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.