Detections
Analytics

5.2.10 Ensure SSH root login is disabled

Information

The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no.

Rationale:

Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident

Solution

Edit the /etc/ssh/sshd_config file to set the parameter as follows:

PermitRootLogin no

Default Value:

PermitRootLogin without-password

See Also

https://workbench.cisecurity.org/files/3399

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv6|5.8, CSCv7|4.3

Plugin: Unix

Control ID: c379f68f2dac691ade7f872ad6a8bb39bde75cf3f88e9009e363b704ab86615e