securetty functionality for non-root users

Dave Parmer · ‎10-09-2003

I have a requirement to implement securetty functionality for the "oracle" account. Our auditors want to restrict access to the account except from a "user" account and the su command. That way we could use the sulog to trace which real users where logged in as "oracle". Any ideas on how to do this?

Robert-Jan Goossens · ‎10-09-2003

Hi,

Think you are looking for this solution.

http://forums1.itrc.hp.com/service/forums/parseCurl.do?CURL=%2Fcm%2FQuestionAnswer%2F1%2C%2C0x7924cbaac6dcd5118ff40090279cd0f9%2C00.html&admit=716493758+1065734732126+28353475

Hope it helps,

Robert-Jan.

Michael Steele_2 · ‎10-09-2003

If you add 'console' to /etc/securetty then root can log in only at the console.

So securetty is used to restrict root access only and has no relation to other login accounts.

What you're describing is what the 'last' command is for.

# last account
# last -b account
# last -R account

You can also restrict 'rlogins', force all to use 'telnet' and track in syslog.log. Add -l to /etc/inetd.conf:

telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd -l

You can also look into /sbin/init.d/acct, system accounting, but this is usually reserved for expense charging for time.

Support Fatherhood - Stop Family Law

Keith Bevan_1 · ‎10-10-2003

The /etc/securetty file is used to restrict root access. The single entry in the file determines where root can login,but not necessarily where people can su upto root.

Typically the contents of this file would read :-

console

So the root account can only be logged in from the console.

Please note the /etc/securetty file does not prevent a user from using the root login if that user is using something call CDE (Common Desktop Environment). In this case you must edit the file /etc/dt/config/Xstartup to contain the following :-

if [ $USER = root ] ; then
exit 1
fi

The other option if using CDE is to cp the file usr/dt/config/Xstartup to /etc/dt/config/Xstartup.

An additional security measure is to setup an su group to allow only a certain number of people to su to root. This can be achieved by creating an entry in /etc/default/security :-

SU_ROOT_GROUP=groupname

where groupname corresponds to the name of the group in /etc/group file that should be allowed to use su to root. Root does not need to be a member of this group !

Hope this helps.

Keith

You are either part of the solution or part of the problem

Dave Parmer · ‎10-10-2003

Thanks for the input. The changes to the profile did the trick.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

securetty functionality for non-root users

securetty functionality for non-root users

Re: securetty functionality for non-root users

Re: securetty functionality for non-root users

Re: securetty functionality for non-root users

Re: securetty functionality for non-root users