{"description": "The root user should never be allowed to login to a\nsystem directly over a network.\nTo disable root login via SSH, add or correct the following line in\n\n\n<tt>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</tt>:\n\n<pre>PermitRootLogin no</pre>", "rationale": "Even though the communications channel may be encrypted, an additional layer of\nsecurity is gained by extending the policy of not logging directly on as root.\nIn addition, logging in with a user-specific account provides individual\naccountability of actions performed on the system and also helps to minimize\ndirect attack attempts on root's password.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "18", "3", "5"], "cjis": ["5.5.6"], "cobit5": ["APO01.06", "DSS05.02", "DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.02", "DSS06.03", "DSS06.06", "DSS06.10"], "cui": ["3.1.1", "3.1.5"], "hipaa": ["164.308(a)(4)(i)", "164.308(b)(1)", "164.308(b)(3)", "164.310(b)", "164.312(e)(1)", "164.312(e)(2)(ii)"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 5.2"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.13.1.1", "A.13.1.3", "A.13.2.1", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.18.1.4", "A.6.1.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.2", "A.8.2.3", "A.9.1.1", "A.9.1.2", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.1", "A.9.4.2", "A.9.4.3", "A.9.4.4", "A.9.4.5"], "nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.2.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2", "CIP-007-3 R5.2", "CIP-007-3 R5.3.1", "CIP-007-3 R5.3.2", "CIP-007-3 R5.3.3"], "nist": ["AC-6(2)", "AC-17(a)", "IA-2", "IA-2(5)", "CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.AC-1", "PR.AC-4", "PR.AC-6", "PR.AC-7", "PR.DS-5", "PR.PT-3"], "ospp": ["FAU_GEN.1"], "pcidss": ["Req-2.2.4"], "srg": ["SRG-OS-000109-GPOS-00056", "SRG-OS-000480-GPOS-00227", "SRG-APP-000148-CTR-000335", "SRG-APP-000190-CTR-000500"], "anssi": ["R33"], "cis": ["5.1.20"], "ism": ["1546"], "pcidss4": ["2.2.6", "2.2"]}, "control_references": {"anssi": ["R33"], "cis": ["5.1.20"], "ism": ["1546"], "pcidss4": ["2.2.6", "2.2"]}, "components": [], "identifiers": {}, "ocil_clause": "the required value is not set", "ocil": "To determine how the SSH daemon's <tt>PermitRootLogin</tt> option is set, run the following command:\n\n<pre>$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</pre>\n\n\nIf a line indicating <tt>no</tt> is returned, then the required value is set.\n", "oval_external_content": null, "fixtext": "To configure the system add or modify the following line in \"/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf\".\n\nPermitRootLogin no\n\nRestart the SSH daemon for the settings to take effect:\n\n$ sudo systemctl restart sshd.service", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must not permit direct logons to the root account using remote access via SSH.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must not permit direct logons to the root account using remote access via SSH.", "vuldiscussion": "Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.", "checktext": "Verify Ubuntu 22.04 remote access using SSH prevents users from logging on directly as \"root\" with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2&gt;&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*permitrootlogin'\n\nPermitRootLogin no\n\nIf the \"PermitRootLogin\" keyword is set to any value other than \"no\", is missing, or is commented out, this is a finding.", "fixtext": "To configure the system to prevent SSH users from logging on directly as root add or modify the following line in \"/etc/ssh/sshd_config\" or in a file in \"/etc/ssh/sshd_config.d\".\n\nPermitRootLogin no\n\nRestart the SSH daemon for the settings to take effect:\n\n$ sudo systemctl restart sshd.service"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable SSH Root Login", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml", "template": {"name": "sshd_lineinfile", "vars": {"parameter": "PermitRootLogin", "value": "no", "datatype": "string"}, "backends": {}}}