You can limit access to terminals on the target systems, control root logins, and log logon activities.
Limiting access to terminal devices
You can configure which z/VM® guest virtual machines can connect to your terminal devices. You can specify a separate set of permitted z/VM guest virtual machines for each iucvtty instance. You can specify one more set of permitted z/VM guest virtual machines that applies to all HVC terminal devices on the target system.Controlling root logins
Whether direct root logins are permitted on terminal devices depends on the login program.For example, the default login program for iucvtty instances and HVC terminal devices, /bin/login, restricts root logins. With /bin/login, root logins are allowed only on devices for which a device node is listed in /etc/securetty.
To enable direct root logins on HVC terminal devices that use /bin/login, you can add the respective device nodes to /etc/securetty.
Because iucvtty instances use pseudo terminal devices with dynamically assigned device nodes, enabling root logins on iucvtty instances that use /bin/login constitutes a potential security exposure. If you need root access through an iucvtty instance, log in as a general user and then change to root, for example, with the su command.
For security risks associated with other login programs, see the documentation for the login program.
Depending on the Linux setup, pam_securetty might further
restrict root logins on particular terminal devices.
Logging
All requests to access an iucvtty instance are logged to syslog.
All refused attempts to access an iucvtty instance or an HVC terminal device are logged to syslog.