HostedDB - Dedicated UNIX Servers
Securing-Optimizing-RH-Linux-1_2_41
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 41 In a safe environment where we are sure that console is secured because passwords for BIOS and LILO are set and all physical power and reset switches on the system are disables it may be advantageous to entirely disable all console-equivalent access to programs like shutdown, reboot, and halt for regular users in your server. To do this, run the following command: [root@deep /]# rm -f /etc/security/console.apps/<servicename> Where <servicename> is the name of the program to which you wish to disable console- equivalent access. Unless you use xdm, however, be careful not to remove the xserver file or no one but root will be able to start the X server. (If you always use xdm to  start the X server, root is the only user that needs to start X, in which case you might actually want to remove the xserver file). As an example: [root@deep /]# rm -f /etc/security/console.apps/halt [root@deep /]# rm -f /etc/security/console.apps/poweroff [root@deep /]# rm -f /etc/security/console.apps/reboot [root@deep /]# rm -f /etc/security/console.apps/shutdown [root@deep /]# rm -f /etc/security/console.apps/xserver (if removed, root will be the only user able to start X). Will disable console-equivalent access to programs halt, poweroff, reboot, and shutdown. Once again, the program xserver apply only is you are installed the Xwindow interface on your system. NOTE: If you are following our setup installation, the Xwindow interface is not installed in your server and all the files described above will not appear in the “/etc/security” directory, so don’t make attention to the above steps. 9.    Disabling all console access The Linux-PAM library installed by default in your system allow the system administrator to choose how applications authenticate users like for console access, program and file access. In order to disable all these accesses for the users, you must comment out all lines that refer to pam_console.so in the “/etc/pam.d/” directory. This step is the continuity of the above hack “8. Disabling console program access”. The following script will do the trick automatically for you. As “root” creates the  disabling.sh script file (touch disabling.sh) and add the following lines inside: # !/bin/sh cd /etc/pam.d for i in * ; do sed '/[^#].*pam_console.so/s/^/#/' < $i > foo && mv foo $i done Make this script executable with the following command and execute it: [root@deep /]# chmod 700 disabling.sh [root@deep /]# ./disabling.sh This will comment out all lines that refer to “pam_console.so” for all files located under “/etc/pam.d” directory. Once the script has been executed, you can remove it from your system. 10. The “/etc/inetd.conf” file