Login/tty file contents (UNIX)

Module: Startup Files

This check examines the contents of the securetty and /etc/default/login files. The check reports pseudo-terminals that allow root logins, unrestricted root logins, and systems that allow root logins from other than the system console. Use the file list to exclude pseudo-terminals or devices, which do allow root logins, from the check. Specify full path names for device files.

The following table lists the error messages for the check.

Table: Error messages for Login/tty file contents

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: STKU_PTYSECURE

Category: Policy Compliance

UNIX (5830)

Title: Pseudo-terminal listed as secure

Description:The pseudo-terminals listed below are flagged as secure in the tty control file. Secure terminals allow root logins from the network. This is a security risk because your system's privileged accounts are exposed to access from hosts that are attached to your network but outside your organization. You should remove the secure flag from the pseudo-terminal entries in the tty control file. You should also reset init on your system to restrict root logins to secure terminals.

Severity: yellow-1

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: STKU_NOSECURETTY

Category: Policy Compliance

UNIX (5831)

Title: No tty security file

Description:The systems listed below are missing one or more device security files. These files let you control the security of devices such as terminals, pseudo-terminals, and windows. You should create these files with security settings appropriate for your site. You should allow root logins only on terminals that are connected directly to your system and located in a physically secure area.

Severity: yellow-1

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: STKU_NODEFAULTLOGIN

Category: Policy Compliance

UNIX (5836)

Title: No default login configuration file exists

Description:The systems listed below are missing their login configuration files. These files let you control the default login behavior of terminals, pseudo-terminals, and windows. You should create these files with default values appropriate to your site. Consult the man pages for additional information. You should also consider restricting root logins to the console device or to a terminal that is located in a physically secured area and directly connected to your system.

Severity: yellow-1

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: STKU_NOLOGINCONSOLE

Category: Policy Compliance

UNIX (5837)

Title: Root login not restricted

Description:The systems listed below do not restrict root login. This is a security risk because it exposes your system privileged accounts to unauthorized users. You should restrict root logins by inserting the line CONSOLE=/dev/console into the /etc/default/login file. Consult the man pages for additional information.

Severity: yellow-1

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: STKU_LOGINDEV

Category: Policy Compliance

UNIX (5838)

Title: Root login restricted to the following devices

Description:The systems listed below restrict root login to a device different from /dev/console as recommended by Silicon Graphics, Inc. You should allow root logins only on terminals that are connected directly to your system and located in a physically secure area. You should review the list to ensure that the correct devices are listed.

Severity: green-0

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]