Logins to the root account must be restricted to the system console only.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-216124 | SRG-OS-000480 | SOL-11.1-040430 | SV-216124r959010_rule | 2026-02-19 | 3 |
Description
Use an authorized mechanism such as RBAC and the "su" command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems.
ℹ️ Check
This check applies to the global zone only. Determine the zone that you are currently securing.
# zonename
If the command output is "global", this check applies.
Determine if root login is restricted to the console.
# grep "^CONSOLE=/dev/console" /etc/default/login
If the output of this command is not:
CONSOLE=/dev/console
this is a finding.
✔️ Fix
The root role is required.
Modify the /etc/default/login file
# pfedit /etc/default/login
Locate the line containing:
CONSOLE
Change it to read:
CONSOLE=/dev/console