The requirement to disable root login on console suggests that your server's physical environment is not secure. Fix that first.
You can then e.g. point at the big, secure lock in the door of the server cabinet and say "*That* is what prevents root logins on the console." Most auditors will understand that a locked door can be used to secure the system.
But if you really want to do it through software configuration, make sure you have some authorized way to access the root account, like sudo, PowerBroker or whatever. Then set a very long and difficult root password, don't document it anywhere and just forget it.
If you have the optional free "LongPassword" depot for 11.31 installed (it's available at software.hp.com), you can use passwords of up to 255 characters.
A 80-character root password that is completely random and not written anywhere will make direct root logins pretty much impossible.
But remember:
If an unauthorized person has a physical access to your server and really wants your data, he/she will just crash & reboot your server to single user mode to get it.
If the system is configured to require a password to access the single user mode, the unauthorized person will just plug in a disk with his/her own OS installation or boot the system using the recovery mode of a HP-UX installation CD.
Bottom line: *All* the protections of the OS can be worked around if the hardware is not physically secure.
MK
MK
