© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Configuration of /etc/securetty can restrict the programs / devices that are granted root console login.
If /etc/securetty doesn't exist, root is allowed to login from any tty
If /etc/securetty exists and is empty, root access will be restricted to single user mode or programs that are not restricted by pam_securetty (i.e. su, sudo, ssh, scp, sftp)
So the proposal is to remove the current entries from securetty and enforce root login via only secure mediums (as mentioned su, sudo, ssh, scp, sftp)
Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for systems to meet DISA-STIG, CIS and other security compliance frameworks.