Classification: UNCLASSIFIED Caveats: FOUO

Yeah, you've got me on that. I can make a test vm of the rhel7 and see if that will block or cause issues. My scripts just do 'sed -I 's@^vc@@g' /etc/securetty So that wouldn't affect that. Interesting. Will check that out.

-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Albrecht, Thomas C Sent: Wednesday, February 25, 2015 9:28 AM To: 'scap-security-guide@lists.fedorahosted.org' Subject: securetty and hypervisor virtual consoles (hvc)

All,

I'm having trouble determining whether to send these questions to this list or the gov-sec list. If anyone has advice, please share it with me.

That said, I'm working on updating my lockdown scripts for RHEL7 to meet the spirit of the law manifested in the RHEL6 STIG. One of the requirements in the RHEL6 STIG is that "The system must prevent the root account from logging in from virtual consoles." (Rule ID: SV-50293r1_rule)

Their solution is to remove all lines that start with "vc" from /etc/securetty. RHEL7 has introduced their hypervisor virtual consoles as "hvc". Not being as familiar with the hypervisor technology as I probably should be, is there a consensus for whether the requirement necessitates removing those lines from securetty as well?

Thanks!

Tom Albrecht