https://community.hpe.com/t5/operating-system-hp-ux/securetty-functionality-for-non-root-users/m-p/3090015#M751603 The /etc/securetty file is used to restrict root access. The single entry in the file determines where root can login,but not necessarily where people can su upto root.<BR /><BR />Typically the contents of this file would read :-<BR /><BR />console<BR /><BR />So the root account can only be logged in from the console. <BR /><BR />Please note the /etc/securetty file does not prevent a user from using the root login if that user is using something call CDE (Common Desktop Environment). In this case you must edit the file /etc/dt/config/Xstartup to contain the following :-<BR /><BR />if [ $USER = root ] ; then<BR /> exit 1<BR />fi<BR /><BR />The other option if using CDE is to cp the file usr/dt/config/Xstartup to /etc/dt/config/Xstartup.<BR /><BR />An additional security measure is to setup an su group to allow only a certain number of people to su to root. This can be achieved by creating an entry in /etc/default/security :-<BR /><BR />SU_ROOT_GROUP=groupname <BR /><BR />where groupname corresponds to the name of the group in /etc/group file that should be allowed to use su to root. Root does not need to be a member of this group !<BR /><BR />Hope this helps.<BR /><BR />Keith Fri, 10 Oct 2003 10:31:04 GMT Keith Bevan_1 2003-10-10T10:31:04Z https://community.hpe.com/t5/operating-system-hp-ux/securetty-functionality-for-non-root-users/m-p/3090012#M751600 I have a requirement to implement securetty functionality for the "oracle" account. Our auditors want to restrict access to the account except from a "user" account and the su command. That way we could use the sulog to trace which real users where logged in as "oracle". Any ideas on how to do this? Thu, 09 Oct 2003 16:05:24 GMT https://community.hpe.com/t5/operating-system-hp-ux/securetty-functionality-for-non-root-users/m-p/3090012#M751600 Dave Parmer 2003-10-09T16:05:24Z https://community.hpe.com/t5/operating-system-hp-ux/securetty-functionality-for-non-root-users/m-p/3090013#M751601 Hi,<BR /> <BR />Think you are looking for this solution.<BR /> <BR /><A href="http://forums1.itrc.hp.com/service/forums/parseCurl.do?CURL=%2Fcm%2FQuestionAnswer%2F1%2C%2C0x7924cbaac6dcd5118ff40090279cd0f9%2C00.html&amp;admit=716493758+1065734732126+28353475" target="_blank">http://forums1.itrc.hp.com/service/forums/parseCurl.do?CURL=%2Fcm%2FQuestionAnswer%2F1%2C%2C0x7924cbaac6dcd5118ff40090279cd0f9%2C00.html&amp;admit=716493758+1065734732126+28353475</A><BR /> <BR />Hope it helps,<BR /><BR />Robert-Jan.<BR /> Thu, 09 Oct 2003 16:25:56 GMT https://community.hpe.com/t5/operating-system-hp-ux/securetty-functionality-for-non-root-users/m-p/3090013#M751601 Robert-Jan Goossens 2003-10-09T16:25:56Z https://community.hpe.com/t5/operating-system-hp-ux/securetty-functionality-for-non-root-users/m-p/3090014#M751602 If you add 'console' to /etc/securetty then root can log in only at the console. <BR /> <BR />So securetty is used to restrict root access only and has no relation to other login accounts.<BR /> <BR />What you're describing is what the 'last' command is for.<BR /> <BR /># last account<BR /># last -b account<BR /># last -R account<BR /> <BR />You can also restrict 'rlogins', force all to use 'telnet' and track in syslog.log. Add -l to /etc/inetd.conf:<BR /> <BR />telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd -l<BR /> <BR /> <BR />You can also look into /sbin/init.d/acct, system accounting, but this is usually reserved for expense charging for time.<BR /> Thu, 09 Oct 2003 16:50:17 GMT https://community.hpe.com/t5/operating-system-hp-ux/securetty-functionality-for-non-root-users/m-p/3090014#M751602 Michael Steele_2 2003-10-09T16:50:17Z https://community.hpe.com/t5/operating-system-hp-ux/securetty-functionality-for-non-root-users/m-p/3090015#M751603 The /etc/securetty file is used to restrict root access. The single entry in the file determines where root can login,but not necessarily where people can su upto root.<BR /><BR />Typically the contents of this file would read :-<BR /><BR />console<BR /><BR />So the root account can only be logged in from the console. <BR /><BR />Please note the /etc/securetty file does not prevent a user from using the root login if that user is using something call CDE (Common Desktop Environment). In this case you must edit the file /etc/dt/config/Xstartup to contain the following :-<BR /><BR />if [ $USER = root ] ; then<BR /> exit 1<BR />fi<BR /><BR />The other option if using CDE is to cp the file usr/dt/config/Xstartup to /etc/dt/config/Xstartup.<BR /><BR />An additional security measure is to setup an su group to allow only a certain number of people to su to root. This can be achieved by creating an entry in /etc/default/security :-<BR /><BR />SU_ROOT_GROUP=groupname <BR /><BR />where groupname corresponds to the name of the group in /etc/group file that should be allowed to use su to root. Root does not need to be a member of this group !<BR /><BR />Hope this helps.<BR /><BR />Keith Fri, 10 Oct 2003 10:31:04 GMT https://community.hpe.com/t5/operating-system-hp-ux/securetty-functionality-for-non-root-users/m-p/3090015#M751603 Keith Bevan_1 2003-10-10T10:31:04Z https://community.hpe.com/t5/operating-system-hp-ux/securetty-functionality-for-non-root-users/m-p/3090016#M751604 Thanks for the input. The changes to the profile did the trick. Fri, 10 Oct 2003 10:42:25 GMT https://community.hpe.com/t5/operating-system-hp-ux/securetty-functionality-for-non-root-users/m-p/3090016#M751604 Dave Parmer 2003-10-10T10:42:25Z