{"description": "To further limit access to the <tt>root</tt> account, administrators\ncan disable root logins at the console by editing the <tt>/etc/securetty</tt> file.\nThis file lists all devices the root user is allowed to login to. If the file does\nnot exist at all, the root user can login through any communication device on the\nsystem, whether via the console or via a raw network interface. This is dangerous\nas user can login to the system as root via Telnet, which sends the password in\nplain text over the network. By default, Ubuntu 22.04's\n<tt>/etc/securetty</tt> file only allows the root user to login at the console\nphysically attached to the system. To prevent root from logging in, remove the\ncontents of this file. To prevent direct root logins, remove the contents of this\nfile by typing the following command:\n<pre>\n$ sudo echo &gt; /etc/securetty\n</pre>", "rationale": "Disabling direct root logins ensures proper accountability and multifactor\nauthentication to privileged accounts. Users will first login, then escalate\nto privileged (root) access via su / sudo. This is required for FISMA Low\nand FISMA Moderate systems.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "cui": ["3.1.1", "3.1.6"], "hipaa": ["164.308(a)(1)(ii)(B)", "164.308(a)(7)(i)", "164.308(a)(7)(ii)(A)", "164.310(a)(1)", "164.310(a)(2)(i)", "164.310(a)(2)(ii)", "164.310(a)(2)(iii)", "164.310(b)", "164.310(c)", "164.310(d)(1)", "164.310(d)(2)(iii)"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.2.3", "CIP-004-6 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.2", "CIP-007-3 R5.2", "CIP-007-3 R5.3.1", "CIP-007-3 R5.3.2", "CIP-007-3 R5.3.3"], "nist": ["IA-2", "CM-6(a)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "anssi": ["R33"], "pcidss4": ["8.6.1", "8.6"]}, "control_references": {"anssi": ["R33"], "pcidss4": ["8.6.1", "8.6"]}, "components": [], "identifiers": {}, "ocil_clause": "the /etc/securetty file is not empty", "ocil": "To ensure root may not directly login to the system over physical consoles,\nrun the following command:\n<pre>cat /etc/securetty</pre>\nIf any output is returned, this is a finding.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule only checks the <tt>/etc/securetty</tt> file existence and its content.\nIf you need to restrict user access using the <tt>/etc/securetty</tt> file, make sure\nthe <tt>pam_securetty.so</tt> PAM module is properly enabled in relevant PAM files."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Direct root Logins Not Allowed", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml", "template": null}