Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 2 Administering User and System Security

Protecting the root Account


Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

Following are suggestions for protecting the root account:

  • Do not share the root password.

  • Do not use / as the root home directory.

  • Examine output from last -R and lastb -R for unusual or failed root logins and to see who has logged in as root.

  • Examine /var/adm/sulog for attempts to use the su root command.

  • Look for unauthorized accounts with a UID of zero (0); use the logins -d command.

The following sections discuss how to protect the root account in more detail.

Monitoring root Account Access

If you have two or more system administrators that need root access, following are some suggestions for how to track them:

  • Allow only direct root logins on the system console. Create the /etc/securetty file with the single entry, console, as follows:

    #echo console > /etc/securetty

    This restriction applies to all login names that have a UID of zero (0). See login(1) for more details.

  • Require administrators to use the su root command from their personal account to access root. For example:

    login:me $ su root password:xxxx
  • Monitor /var/adm/sulog to see who has accessed root using su.

  • Configure a separate root account for each system administrator.

    # vipw root:xxx:0:3::/home/root:/sbin/sh root1:xxx:0:3::/home/root1:/sbin/sh root2:xxx:0:3::/home/root2:/sbin/sh
  • Monitor each system administrator's history file as follows:

    #more ~root1/.sh_history #more ~root2/.sh_history
  • Monitor successful and failed su attempts in /var/adm/syslog.

Using the Restricted SMH Builder for Limited Superuser Access

If you need to give limited superuser access to a nonsuperuser, you can activate the Restricted SMH Builder. Using the Restricted SMH Builder, you can enable or disable selected SMH areas for the user. To activate the Restricted SMH Builder, enter:

# smh -r

When users with restricted access execute SMH, they will have superuser status in the defined areas and will only see those SMH areas in the menu. All other areas of SMH will be hidden from the user. When users without access permissions execute SMH, they will receive an error message stating they must be superuser.

You can also add more applications to SMH and set them up for restricted access.

Reviewing Superuser Access

The /var/adm/sulog file logs all attempts of the su root command including failures. Successful attempts are flagged with a plus (+) and failures are flagged with a minus (-). Only root can view the /var/adm/sulog file. For example:

# su root


# ll /var/adm/sulog

-rw------- 1 root root 690 Aug 17 19:37 /var/adm/sulog

In the following example, userone has successfully used the su command to access root. A second user, usertwo, has not been successful. In addition, usertwo has not been successful in using su to access gooduser1 either.

# more /var/adm/sulog

SU 08/17 19:10 + 0 userone-root

SU 08/17 19:36 - 0 usertwo-root

SU 08/17 19:36 - 0 usertwo-root

SU 08/17 19:36 + 0 userone-root

SU 08/17 19:37 - 0 usertwo-gooduser1

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.