root access

lo-lp-kl · July 21, 2008, 12:17pm

Hello

I have a question.

I have a box with Aix 5.3 but I want to disable root access direct from any terminal or console. I mean If I want to login to 10.10.10.10

login:root
password *********

Root access is not permited

Which file I have to edit. to the users first login with their own user and then su - to switch to root.

Thanks for your comments

shockneck · July 22, 2008, 2:19am

# chuser rlogin=false login=false root

In case server is located in a locked room I'd leave local root login enabled.

djdavies · July 23, 2008, 6:18am

Hi,

I'm an inexperienced Aix admin so i was wondering is this a good idea to totally stop root access? Is it ok just to leave it so you can only su to root ? I can see the benefits, but just wondered if it would cause any problems?

Also do you need to have the CDE running? or stop that as well so that there is no console? only say ssh access?

shockneck · July 23, 2008, 7:51am

This paper will give you a concise load of information about AIX security: http://packetstorm.syrex.com/papers/unix/AIX_Security.pdf

CDE costs you performance. Don't use it if you don't have to.

bakunin · July 23, 2008, 8:03am

That depends on what you want to achieve: usually the direct root access is forbidden to force admins to use "su" or some "sudoed" variant of it. The reason is that this event (someone issuing "su" to become root) is traceable and therefore auditable. If, say, ten people are logged in as root and someone does something really stupid you can't determine who that was from machine logs. By the way: "auditable" doesn't mean "more secure". "Auditable" means you can blame someone - after having done something really stupid.

See above. Exactly this (root access only permitted via "su") ist what the given command is providing. The benefits, btw. are quite limited, IMHO: if an Admin does want to hurt you s/he can as well edit the logs and destroy his/her traces. Therefore this is not a security measure against the malevolent ones but against the malevolent AND extremely silly ones - you wouldn't have hired them in first place if they are extremely silly, wouldn't you?

On the other hand people do make errors. If there are no malevolent admins in your staff and disaster strikes, because, basically, shit happens - you will have to ask yourself if blaming someone for it in public really will make things better.

CDE is just a GUI, not a console. Of course you can switch it off ("/usr/dt/bin/dtconfig -d" or "smitty dtconfig" to do it via SMIT), but doing so changes only the behavior of a terminal, not its existence. Instead of the CDE login screen you will see the "herald" (configurable in /etc/security/login) and the "login:" prompt, but essentially you can do the same there as you can do on the CDE login screen.

My suggestion: switch it off! It is a resource hog and has no benefit anyways.

A "console" is a special case of a terminal: a terminal which is physically attached to the machine it belongs to. This is the case, for instance, with a serial terminal directly connected via a nullmodem cable to the serial connector of the machine. Switching this way of access off is possible but makes sense only for machines not situated in a (locked) data center. For the usual case of restricted physical access to the machines (data center, etc.) this is only useful as a PITA device for the service technicians and SysAdmins.

I hope this helps.

bakunin