Thanks to:
Stan Horwitz <stan_at_thunder.ocis.temple.edu>
adunn_at_nswc.navy.mil
Martin Mokrejs <mmokrejs_at_natur.cuni.cz>
Russ Fish <Russ_Fish_at_idx.com>
PHETPHONE D CHANTHAVONG <CHANTHP_at_POLAROID.COM>
Donn Aiken <daiken_at_regents.edu>
Stephen LaBelle <labelles_at_mscd.edu>
C.Ruhnke <i769646_at_smrs013a.mdc.com>
The original question:
I have a requirement to disable root logins on Digital UNIX systems running
4.0c and enhanced security. The idea is to force someone to login to their
regular accounts and su to root so that auditing can be done under their
personal uid. I believe the way to do this under standard security would be to
delete all the entries in but the docs on advanced security
are rather sketchy.
Most of the solutions I received were variations on modifications to
/etc/securettys, and after some experimentation I have removed all entries from
that file. Doing this prohibits root logins in any case (except single-user
mode). This was necessary since the site security requirements prohibit any
root logons, even from the console terminal.
Stan Horwitz kindly informed me about a public domain package, tcp-wrappers,
that sits between the TCP/IP ports and the daemons that scan them to control
access through the ports. Also, Stephen LaBelle suggested auditing all console
activity - a good idea which I have already implemented. Finally, Chris Ruhnke
warned me that some daemons behave funny if they are not owned by root when
they are restarted.
Thanks again,
Received on Wed Sep 02 1998 - 19:37:25 NZST