Root Access

root_login_from_console

This built-in function ensures that the “root” user can only directly log into the remote system through the physical console.

The rationale behind this check is that good administrative practices disallow the direct use of the root account so that access can be traced to a specific person. Instead, use a generic user account (member of the wheel group on BSD systems) then use “su” (or sudo) to elevate privileges to perform administrative tasks.

Operating System

Implementation

Linux and HP-UX

Make sure that /etc/securetty exists and only contains “console”.

Solaris

Make sure that /etc/default/login contains the line CONSOLE=/dev/console.

Mac OS X

This option is not supported.

Usage

<item>

name: "root_login_from_console"

description: "This check makes sure that root can only log in from the system console (not remotely)."

</item>

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.