How to Restrict and Monitor root
Logins
This method immediately detects root
attempts to access the local system.
You must assume the root
role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
Example 3-5 Logging root
Access Attempts
In this example, root
attempts are not being logged by
SYSLOG
. Therefore, the administrator is logging those attempts by
removing the comment from the #CONSOLE=/dev/console
entry in the
/etc/default/su
file.
# CONSOLE determines whether attempts to su to root should be logged # to the named device # CONSOLE=/dev/console
When a user attempts to become root
, the attempt is printed on the
terminal console.
SU 09/07 16:38 + pts/8 jdoe-root
Troubleshooting: To become root
from a remote system when the
/etc/default/login
file contains the default
CONSOLE
entry, users must first log in with their user name. After
logging in with their user name, users then can use the su
command to
become root
.
If the console displays an entry similar to Last login: Thu Sep 7 15:13:11
2017 from system2
, then the system is configured to permit remote
root
logins. To prevent remote root
access, change
the #CONSOLE=/dev/console
entry to
CONSOLE=/dev/console
in the /etc/default/login
file. To find out how to return the ssh
protocol to the default, see
the
sshd_config
(5)
man page.