topic Re: root access only from console in Operating System - HP-UX

root access only from console

Gary Yu — Mon, 09 Dec 2002 17:06:11 GMT

Hi team,

we are planning some security enhancment now, one proposal is to allow root access only from console, not through telnet.

can we do it by /var/adm/inetd.sec? not sure we can specify users in that file. or there are other ways to do it?

thanks,
Gary

Re: root access only from console

David Bell_1 — Mon, 09 Dec 2002 17:10:56 GMT

Gary,

Have a look at this link. This has been addressed quite a few times in this forum. You may also search on "root access console".

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xb82706350fe2d61190050090279cd0f9,00.html

HTH,

Dave

Re: root access only from console

F. X. de Montgolfier — Mon, 09 Dec 2002 17:11:04 GMT

Hi,

seen on http://docs.hp.com/hpux/onlinedocs/B2355-90742/B2355-90742.html

[system security]
[this is assuming you're using HP-UX 11.0]
Tracking Root

A useful method to keep track of system access and reduce security breaches on standard and trusted servers is to physically secure the system console and allow root to login only at the system console. Users logging in through other ports must first log in as themselves, then execute su to become root.

To limit root to logging in only through the system console, create the /etc/securetty file with the single entry, console, as follows:

# echo console > /etc/securetty

docs.hp.com is your friend...
Cheers,

Fran??ois-Xavier

Re: root access only from console

Ken Hubnik_2 — Mon, 09 Dec 2002 17:11:42 GMT

You can use securetty. I beleive you create a file in /etc called securetty and put and entry in there for console.

/etc/securetty
console

Re: root access only from console

Steven E. Protter — Mon, 09 Dec 2002 17:14:25 GMT

Linux does this, but not through inetd.sec

HP can do it as well.

Someone will post the manual way of doing it.

You could be lazy like me and just install the Bastille security tool. For political reasons I declined, but it has a step that will disable root access from anywhere but the console.

Here is a link
https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=B6849AA&date=

Its off a search at software.hp.com for Bastille, btw.

If you are really concerned about security, Bastille is the way to go. It also enhances system performance, because it stops the use of some dated daemon's that run be default and nobody actually uses any more.

Don't forget to disable X-Windows root access.
I recommend the Practical Network Security class from HP. It's a five day class, it teaches you all of the above except Bastille(which was recently ported from Linux), and teaches you how hackers work and how to defeat them.

Regards,

Steve
Please assign points to people who spent timie, trying to help you.

Re: root access only from console

S.K. Chan — Mon, 09 Dec 2002 17:15:11 GMT

You can do that by creating /etc/securetty file to only allow root access from console. The content of that file should have the line :-
console
Owner of that file should be root:bin and permission 600. This is for security reason.

Re: root access only from console

Patrick Wallek — Mon, 09 Dec 2002 17:16:10 GMT

Ken is correct. The easiest way to do this is to put the word console in the /etc/securetty file.

# cat /etc/securetty
console
#

Note that there is no '/dev/' in front of the word console.

Re: root access only from console

Gary Yu — Mon, 09 Dec 2002 17:22:02 GMT

Thanks guys for the prompt and accurate answers!

Fran??ois is right, docs.hp.com is our friend, and I would also say this forum is our friend!

thanks again,
Gary

Re: root access only from console

Paul Sperry — Mon, 09 Dec 2002 17:44:27 GMT

/etc/securetty should contain:
console