https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083780#M143251 We are in the process of tightening up security on a number of HP systems. We intend to remove direct root access to the system and are looking at the best way of doing this. Obviously we will still need to log into the console as root, however the intention is for users to su to root once on the system. Thu, 02 Oct 2003 08:02:28 GMT Adam Noble 2003-10-02T08:02:28Z https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083780#M143251 We are in the process of tightening up security on a number of HP systems. We intend to remove direct root access to the system and are looking at the best way of doing this. Obviously we will still need to log into the console as root, however the intention is for users to su to root once on the system. Thu, 02 Oct 2003 08:02:28 GMT https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083780#M143251 Adam Noble 2003-10-02T08:02:28Z https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083781#M143252 Hello,<BR /><BR />/etc/securetty<BR /><BR />If the /etc/securetty file exits, root user is only allowed to login in the tty's listed in this file. <BR /><BR />Normally, you allow root logins ONLY at<BR />the console. On all other logins must be logged in using user's own id's. If they are needing root priviledge, they will have to su -.<BR /><BR />Now, that user needs to do su's to become root, all su's are logged in<BR />/var/adm/sulog.<BR /><BR />To do this, create /etc/securetty with only the console entry.<BR /><BR />Hope this helps,<BR /><BR />Francis DERDEYN - HP-UX ASCE. Thu, 02 Oct 2003 08:05:29 GMT https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083781#M143252 Francis_12 2003-10-02T08:05:29Z https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083782#M143253 Hi Adam,<BR /> <BR />You do this by creating the following file <BR />/etc/securetty<BR />and placing one word in it<BR />console<BR /> <BR />Then set perms to 400 (-r--------) &amp; ownership to root:sys<BR /> <BR />HTH,<BR />Jeff Thu, 02 Oct 2003 08:06:01 GMT https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083782#M143253 Jeff Schussele 2003-10-02T08:06:01Z https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083783#M143254 Add 'console' to /etc/securetty.<BR /> <BR />Then root will only be allowed to login directly via the console.<BR /> <BR />HTH. Thu, 02 Oct 2003 08:07:29 GMT https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083783#M143254 Brian Bergstrand 2003-10-02T08:07:29Z https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083784#M143255 vi /etc/securetty<BR /> add:<BR /> console<BR /><BR /> This prevents rlogins of form:<BR /><BR /> rlogin host -l root<BR /><BR /> but still allows root logins from other hosts with entries in $ROOT_HOME/.rhosts Thu, 02 Oct 2003 08:09:33 GMT https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083784#M143255 Stuart Abramson_2 2003-10-02T08:09:33Z https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083785#M143256 thanks all! Thu, 02 Oct 2003 08:18:33 GMT https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083785#M143256 Adam Noble 2003-10-02T08:18:33Z https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083786#M143257 Hello back again,<BR /><BR />There is still something missing here :-)<BR /><BR />/etc/securetty is not checked if your users are going to try to log in via CDE. The reason is that /etc/securetty "lists the valid ttys for root login". Since CDE does not use a tty to login the /etc/securetty<BR />has no effect !!<BR /><BR />To bypass that limitation, you will need to modify the /etc/dt/config/Xstartup to disable<BR />root console login via CDE.<BR /><BR />You might also be interested to use the file /usr/dt/config/Xaccess which restricts external CDE access based on host(IP).<BR /><BR />Hope this helps, Bye.<BR /><BR />Francis DERDEYN - HP-UX ASCE.<BR /> Thu, 02 Oct 2003 08:20:01 GMT https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083786#M143257 Francis_12 2003-10-02T08:20:01Z https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083787#M143258 Actually does anyone know of any further restrictions you can make i.e on AIX you can restict a certain group of users to be able to login as root and also I believe you can prevent people logging into ftp as root. Thu, 02 Oct 2003 09:10:58 GMT https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083787#M143258 Adam Noble 2003-10-02T09:10:58Z https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083788#M143259 Hi back again,<BR /><BR />To secure FTP, go here :<BR /><BR /><A href="http://www.newfdawg.com/SHP-FTP-ftpaccess.htm" target="_blank">http://www.newfdawg.com/SHP-FTP-ftpaccess.htm</A><BR />and here :<BR /><A href="http://www.newfdawg.com/SHP-FTP-ftphosts.htm" target="_blank">http://www.newfdawg.com/SHP-FTP-ftphosts.htm</A><BR /><BR />Hope this helps, Bye.<BR /><BR />Francis DERDEYN - HP-UX ASCE. Thu, 02 Oct 2003 09:19:51 GMT https://community.hpe.com/t5/operating-system-hp-ux/removing-direct-root-access/m-p/3083788#M143259 Francis_12 2003-10-02T09:19:51Z