Administrator's Guide
2.11 Protecting the root Account
Following are suggestions for protecting the root account:
• Do not share the root password.
• Do not use / as the root home directory.
• Examine output from last -R and lastb -R for unusual or failed root logins and
to see who has logged in as root.
• Examine /var/adm/sulog for attempts to use the su root command.
• Look for unauthorized accounts with a UID of zero (0); use the logins -d
command.
The following sections discuss how to protect the root account in more detail.
2.11.1 Monitoring root Account Access
If you have two or more system administrators that need root access, following are some
suggestions for how to track them:
• Allow only direct root logins on the system console. Create the /etc/securetty
file with the single entry, console, as follows:
#echo console > /etc/securetty
This restriction applies to all login names that have a UID of zero (0). See login(1)
for more details.
• Require administrators to use the su root command from their personal account
to access root. For example:
login:me
$ su root
password:xxxx
• Monitor /var/adm/sulog to see who has accessed root using su.
• Configure a separate root account for each system administrator.
# vipw
root:xxx:0:3::/home/root:/sbin/sh
root1:xxx:0:3::/home/root1:/sbin/sh
root2:xxx:0:3::/home/root2:/sbin/sh
• Monitor each system administrator's history file as follows:
#more ~root1/.sh_history
#more ~root2/.sh_history
• Monitor successful and failed su attempts in /var/adm/syslog.
2.11.2 Using the Restricted SMH Builder for Limited Superuser Access
If you need to give limited superuser access to a nonsuperuser, you can activate the
Restricted SMH Builder. Using the Restricted SMH Builder, you can enable or disable
selected SMH areas for the user. To activate the Restricted SMH Builder, enter:
58 Administering User and System Security