HPE Community
Operating System - HP-UX
1847483 Members
4552 Online
110265 Solutions
New Discussion

Removing direct root access

 
SOLVED
Go to solution
Adam Noble
Super Advisor

‎10-02-2003 01:02 AM

‎10-02-2003 01:02 AM

Removing direct root access

We are in the process of tightening up security on a number of HP systems. We intend to remove direct root access to the system and are looking at the best way of doing this. Obviously we will still need to log into the console as root, however the intention is for users to su to root once on the system.
0 Kudos
Reply
8 REPLIES 8
Francis_12
Trusted Contributor

‎10-02-2003 01:05 AM

‎10-02-2003 01:05 AM

Solution

Re: Removing direct root access

Hello,

/etc/securetty

If the /etc/securetty file exits, root user is only allowed to login in the tty's listed in this file.

Normally, you allow root logins ONLY at
the console. On all other logins must be logged in using user's own id's. If they are needing root priviledge, they will have to su -.

Now, that user needs to do su's to become root, all su's are logged in
/var/adm/sulog.

To do this, create /etc/securetty with only the console entry.

Hope this helps,

Francis DERDEYN - HP-UX ASCE.
Reply
Jeff Schussele
Honored Contributor

‎10-02-2003 01:06 AM

‎10-02-2003 01:06 AM

Re: Removing direct root access

Hi Adam,

You do this by creating the following file
/etc/securetty
and placing one word in it
console

Then set perms to 400 (-r--------) & ownership to root:sys

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
Brian Bergstrand
Honored Contributor

‎10-02-2003 01:07 AM

‎10-02-2003 01:07 AM

Re: Removing direct root access

Add 'console' to /etc/securetty.

Then root will only be allowed to login directly via the console.

HTH.
Reply
Stuart Abramson_2
Honored Contributor

‎10-02-2003 01:09 AM

‎10-02-2003 01:09 AM

Re: Removing direct root access

vi /etc/securetty
add:
console

This prevents rlogins of form:

rlogin host -l root

but still allows root logins from other hosts with entries in $ROOT_HOME/.rhosts
Reply
Adam Noble
Super Advisor

‎10-02-2003 01:18 AM

‎10-02-2003 01:18 AM

Re: Removing direct root access

thanks all!
0 Kudos
Reply
Francis_12
Trusted Contributor

‎10-02-2003 01:20 AM

‎10-02-2003 01:20 AM

Re: Removing direct root access

Hello back again,

There is still something missing here :-)

/etc/securetty is not checked if your users are going to try to log in via CDE. The reason is that /etc/securetty "lists the valid ttys for root login". Since CDE does not use a tty to login the /etc/securetty
has no effect !!

To bypass that limitation, you will need to modify the /etc/dt/config/Xstartup to disable
root console login via CDE.

You might also be interested to use the file /usr/dt/config/Xaccess which restricts external CDE access based on host(IP).

Hope this helps, Bye.

Francis DERDEYN - HP-UX ASCE.
0 Kudos
Reply
Adam Noble
Super Advisor

‎10-02-2003 02:10 AM

‎10-02-2003 02:10 AM

Re: Removing direct root access

Actually does anyone know of any further restrictions you can make i.e on AIX you can restict a certain group of users to be able to login as root and also I believe you can prevent people logging into ftp as root.
0 Kudos
Reply
Francis_12
Trusted Contributor

‎10-02-2003 02:19 AM

‎10-02-2003 02:19 AM

Re: Removing direct root access

Hi back again,

To secure FTP, go here :

http://www.newfdawg.com/SHP-FTP-ftpaccess.htm
and here :
http://www.newfdawg.com/SHP-FTP-ftphosts.htm

Hope this helps, Bye.

Francis DERDEYN - HP-UX ASCE.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.