By default root user had direct login access to the Linux machine which can be dangerous and in most organisation it is restricted
But how do we restrict a direct root user login?
Firstly ssh based direct root login must be diabled which can be done via sshd_config
Modify your /etc/ssh/sshd_config and make sure PermitRootLogin is disabled as shown below
By default the value would be yes, so change it to "no" and save your file follwed by a sshd service restart to make the changes affect
Using this you disabled ssh based direct root login but what if someone gets access to the GUI console, which can be iLO for a physical blade and a GUI console for VMware via vnc or some other tool?
The above changes will not restrict a direct root login via console as that is not ssh
Disable direct root login via console
To achieve this clear the contents of "/etc/securetty"
By default this file contains the content of all the terminals on which a direct root login would be allowed
Now you can try to do a root login via console, and it should fail
I hope the article was useful.