I need to deny direct logon access for root through the VMware vCenter VM console for several servers and need some expert assistance.

I found an article where I can deny root login access across the board by editing the /etc/passwd file and adding /sbin/nologin to the root record, but that also seems to prevent su to root from a different account.

If you know a better way, please assist. Thank you in advance.

Which distro are you using and which version?


I think what you're looking for is "Disabling root access using any console device (tty)" as described at
https://access.redhat.com/documentat...ot_Access.html

If you disable root from any console, do you have another way to get root access on the machine in event of problems?

I'm curious why you need to prevent root via the VMware vCenter VM console. Isn't authentication required to access that? Do you not trust the people who have access to your VMware environment? Servers I manage in a vSphere environment have root login locked out via SSH but allow it via the console in case we need to get in that way for some reason. The console can only be accessed by a few users and the vSphere environment only allows login from a few IP address ranges.

Edit: Do the servers have root login via SSH enabled? It is enabled on Red Hat 7 and CentOS 7 by default. That seems like something more to worry about than console access.

Thank you for the link, arizonagroovejet. I believe that will achieve the desired results. Here are my responses to your questions.

Which distro are you using and which version? Oracle (Red Hat) Linux 6.5

If you disable root from any console, do you have another way to get root access on the machine in event of problems? Just console with a sudoer or if possible, SSH (also with a sudoer.)

I'm curious why you need to prevent root via the VMware vCenter VM console. Since we are a retailer, it is required in order to be SOX compliant. I posed the same exact concerns you did and was told that it is still a requirement.

Do the servers have root login via SSH enabled? It is enabled on Red Hat 7 and CentOS 7 by default. That seems like something more to worry about than console access. I have already denied root access via SSH.

Is Oracle Linux 6.5 still supported? I can't find that information online but since it's a downstream of Red Hat seems like it should be EOL for a couple of years or so.

Seems to me you should maybe control who has access to VMWare?

Just sayin'

I believe it has support until 2020.

Oh, we do indeed control who has access to vCenter, and the number of users is very small. Unfortunately, SOX auditing is not that cut and dry. I am pushing back on this item stating that control is managed through vCenter access, but if they reject our counter, we have to do what they say. SOX compliance drives company stock up or down based on scoring, so it's best to do as your told or the Board gets angry when that needle drops a half a tick.

Who told you disabling console access was a requirement? Did you actually hear it from a SOX Auditor? I've been in companies that have been audited to a number of standards (most recently PCI-DSS 3) and logins via a console have never been a problem as long as there are sufficient access controls and procedures as to who can get at the console. Anything that seems excessive, check with the actual auditor, not whichever middle-manager is driving the process.

Red Hat Enterprise Linux 6 has support until 2020. 6.5 does not. Presumably part of the SOX thing specifies that your OS must be supported by vendor though and if you are running an EOL version that will be flagged.