Disabling direct root login

To avoid this type of attack, you can disable direct access to your root ID and then require your system administrators to obtain root privileges by using the su - command. In addition to permitting you to remove the root user as a point of attack, restricting direct root access permits you to monitor which users gained root access, as well as the time of their action. You can do this by viewing the /var/adm/sulog file. Another alternative is to enable system auditing, which will report this type of activity.

To disable remote login access for your root user, edit the /etc/security/user file. Specify False as the rlogin value on the entry for root.

Before you disable the remote root login, examine and plan for situations that would prevent a system administrator from logging in under a non-root user ID. For example, if a user's home file system is full, the user would not be able to log in. If the remote root login were disabled and the user who could use the su - command to change to root had a full home file system, root could never take control of the system. This issue can be bypassed by system administrators creating home file systems for themselves that are larger than the average user's file system.