Restrict Console Logins via /etc/securetty
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Luke Hinds |
Bug Description
Configuration of /etc/securetty can restrict the programs / devices that are granted root console login.
If /etc/securetty doesn't exist, root is allowed to login from any tty
If /etc/securetty exists and is empty, root access will be restricted to single user mode or programs that are not restricted by pam_securetty (i.e. su, sudo, ssh, scp, sftp)
So the proposal is to remove the current entries from securetty and enforce root login via only secure mediums (as mentioned su, sudo, ssh, scp, sftp)
Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for systems to meet DISA-STIG, CIS and other security compliance frameworks.
Example
/etc/securetty
console
tty1
tty2
tty3
tty4
tty5
tty6
ttyS0
hvc0
Removing any of the entries above, will remove the root access grant.
For this issue, ideally an Operator should be able to provide a list of which consoles they deem secure for access.
Changed in tripleo: | |
importance: | Undecided → High |
description: | updated |
Changed in tripleo: | |
assignee: | nobody → Luke Hinds (lhinds) |
Fix proposed to branch: master /review. openstack. org/449148
Review: https:/