Information
The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no.
Rationale:
Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident
Solution
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
PermitRootLogin no
Default Value:
PermitRootLogin without-password
Notes:
This Benchmark recommendation maps to:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide:
Version 2, Release: 3 Benchmark Date: 26 Apr 2019
Vul ID: V-72247
Rule ID: SV-86871r3_rule
STIG ID: RHEL-07-040370
Severity: CAT II