{"description": "Direct root logins should be allowed only for emergency use.\nIn normal situations, the administrator should access the system\nvia a unique unprivileged account, and then use su or sudo to execute\nprivileged commands. Discouraging administrators from accessing the\nroot account directly ensures an audit trail in organizations with\nmultiple administrators. Locking down the channels through which\nroot can connect directly also reduces opportunities for\npassword-guessing against the root account. The login program\nuses the file /etc/securetty to determine which interfaces\nshould allow root logins.\n\nThe virtual devices /dev/console\nand /dev/tty* represent the system consoles (accessible via\nthe Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default\ninstallation). The default securetty file also contains /dev/vc/*.\nThese are likely to be deprecated in most environments, but may be retained\nfor compatibility. Root should also be prohibited from connecting\nvia network protocols. Other sections of this document\ninclude guidance describing how to prevent root from logging in via SSH.", "warnings": [], "requires": [], "conflicts": [], "values": ["var_pam_wheel_group_for_su"], "groups": {}, "rules": ["accounts_no_uid_except_zero", "accounts_root_gid_zero", "ensure_pam_wheel_group_empty", "ensure_root_access_controlled", "ensure_root_password_configured", "groups_no_zero_gid_except_root", "no_direct_root_logins", "no_invalid_shell_accounts_unlocked", "no_password_auth_for_systemaccounts", "no_root_webbrowsing", "no_shelllogin_for_systemaccounts", "prevent_direct_root_logins", "restrict_serial_port_logins", "root_path_default", "securetty_root_login_console_only", "use_pam_wheel_for_su", "use_pam_wheel_group_for_su"], "platform": "", "platforms": [], "inherited_platforms": [], "cpe_platform_names": [], "title": "Restrict Root Logins", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/root_logins/group.yml"}