Restrict Console Logins via /etc/securetty

Bug #1665042 reported by Luke Hinds
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Luke Hinds

Bug Description

Configuration of /etc/securetty can restrict the programs / devices that are granted root console login.

If /etc/securetty doesn't exist, root is allowed to login from any tty

If /etc/securetty exists and is empty, root access will be restricted to single user mode or programs that are not restricted by pam_securetty (i.e. su, sudo, ssh, scp, sftp)

So the proposal is to remove the current entries from securetty and enforce root login via only secure mediums (as mentioned su, sudo, ssh, scp, sftp)

Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for systems to meet DISA-STIG, CIS and other security compliance frameworks.

Example

/etc/securetty

console
tty1
tty2
tty3
tty4
tty5
tty6
ttyS0
hvc0

Removing any of the entries above, will remove the root access grant.

For this issue, ideally an Operator should be able to provide a list of which consoles they deem secure for access.

Changed in tripleo:
importance: Undecided → High
Luke Hinds (lhinds)
description: updated
Luke Hinds (lhinds)
Changed in tripleo:
assignee: nobody → Luke Hinds (lhinds)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/449148

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/449153

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/449148
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=87850942adfe0a2ed44441913d2442d1fd86a809
Submitter: Jenkins
Branch: master

commit 87850942adfe0a2ed44441913d2442d1fd86a809
Author: lhinds <email address hidden>
Date: Thu Mar 23 13:28:19 2017 +0000

    Adds service for managing securetty

    This adds the ability to manage the securetty file.

    By allowing management of securetty, operators can limit root
    console access and improve security through hardening.

    Change-Id: Ic4647fb823bd112648c5b8d102913baa8b4dac1c
    Closes-Bug: #1665042

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/449153
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=99455380692f233f64c7fb68eb8a11105d39f5ac
Submitter: Jenkins
Branch: master

commit 99455380692f233f64c7fb68eb8a11105d39f5ac
Author: lhinds <email address hidden>
Date: Thu Mar 23 13:41:42 2017 +0000

    Adds service for managing securetty

    This adds the ability to manage the securetty file.

    By allowing management of securetty, operators can limit root
    console access and improve security through hardening.

    Change-Id: I0767c9529b40a721ebce1eadc2dea263e0a5d4d7
    Partial-Bug: #1665042
    Depends-On: Ic4647fb823bd112648c5b8d102913baa8b4dac1c

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 7.0.0

This issue was fixed in the openstack/puppet-tripleo 7.0.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers