Root Access

root_login_from_console

This built-in function ensures that the “root” user can only directly log into the remote system through the physical console.

The rationale behind this check is that good administrative practices disallow the direct use of the root account so that access can be traced to a specific person. Instead, use a generic user account (member of the wheel group on BSD systems) then use “su” (or sudo) to elevate privileges to perform administrative tasks.

Operating System

Implementation

Linux and HP-UX

Make sure that /etc/securetty exists and only contains “console”.

Solaris

Make sure that /etc/default/login contains the line CONSOLE=/dev/console.

macOS

This option is not supported.

Usage

<item>

name: "root_login_from_console"

description: "This check makes sure that root can only log in from the system console (not remotely)."

</item>