Hi
We used the bastion11 checklist as the foundation for tightening up a system. For root, I asked the same question on how to restrict - here is the thread:
http://forums.itrc.hp.com/cm/QuestionAnswer/1,1150,0xaf7e37f45ef7d4118fef0090279cd0f9,00.htmlHere are the excerpts from that thread that might help...
There is now way that I know of to restrict the su capability that is native to HP-UX. The easiest thing that comes to mind is just not giving out the password. If you don't want them to do a 'su -' then why give them the password?
Another option you have though is to use the product called 'sudo'. You can get it from the HP-UX Porting center. Here is a link to it:
http://www.courtesan.com/sudo Sudo allows you to set people up with the capability to run things with root capability without having to give out the root password or give out full 'su -' access.
sudo is a way to limit who has root access. In the sudoers file you can have something like the line below to prevent root access;
Cmnd_Alias SU=/usr/bin/su, !/usr/bin/su *root*, !/usr/bin/su "",!/usr/bin/su -
Also, I have put in something for rlogin as well. If you are root one one system and do rlogin to another system, you are root on the other system as well.
The above Cmnd_Alias will prevent specified users from becoming UID=0 unless they are in the sudoers file as having the rights to UID=0.
regards,
~pf
