|
Changing the root shell.
|
Edit the /etc/passwd file and change the shell from /bin/bash to /sbin/nologin.
|
| Prevents access to the root shell and logs the attempt. |
| The following programs are prevented from accessing the root account: |
| · login |
| · gdm |
| · kdm |
| · xdm |
| · su |
| · ssh |
| · scp |
| · sftp |
|
| Programs that do not require a shell, such as FTP clients, mail clients, and many setuid programs. |
| The following programs are not prevented from accessing the root account: |
| · sudo |
| · FTP clients |
| · Email clients |
|
|
Disabling root access via any console device (tty).
|
An empty /etc/securetty file prevents root login on any devices attached to the computer.
|
| Prevents access to the root account via the console or the network. The following programs are prevented from accessing the root account: |
| · login |
| · gdm |
| · kdm |
| · xdm |
| · Other network services that open a tty |
|
| Programs that do not log in as root, but perform administrative tasks through through setuid or other mechanisms. |
| The following programs are not prevented from accessing the root account: |
| · su |
| · sudo |
| · ssh |
| · scp |
| · sftp |
|
|
Disabling root SSH logins.
|
Edit the /etc/ssh/sshd_config file and set the PermitRootLogin parameter to no.
|
| Prevents root access via the OpenSSH suite of tools. The following programs are prevented from accessing the root account: |
| · ssh |
| · scp |
| · sftp |
|
| This only prevents root access to the OpenSSH suite of tools. |
|
|
Use PAM to limit root access to services.
|
Edit the file for the target service in the /etc/pam.d/ directory. Make sure the pam_listfile.so is required for authentication.[a] |
| Prevents root access to network services that are PAM aware. |
| The following services are prevented from accessing the root account: |
| · FTP clients |
| · Email clients |
| · login |
| · gdm |
| · kdm |
| · xdm |
| · ssh |
| · scp |
| · sftp |
| · Any PAM aware services |
|
| Programs and services that are not PAM aware. |
|