How to deny root login from VMware vCenter console
Linux - Virtualization and CloudThis forum is for the discussion of all topics relating to Linux Virtualization and Linux Cloud platforms. Xen, KVM, OpenVZ, VirtualBox, VMware, Linux-VServer and all other Linux Virtualization platforms are welcome. OpenStack, CloudStack, ownCloud, Cloud Foundry, Eucalyptus, Nimbus, OpenNebula and all other Linux Cloud platforms are welcome. Note that questions relating solely to non-Linux OS's should be asked in the General forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to deny root login from VMware vCenter console
I need to deny direct logon access for root through the VMware vCenter VM console for several servers and need some expert assistance.
I found an article where I can deny root login access across the board by editing the /etc/passwd file and adding /sbin/nologin to the root record, but that also seems to prevent su to root from a different account.
If you know a better way, please assist. Thank you in advance.
If you disable root from any console, do you have another way to get root access on the machine in event of problems?
I'm curious why you need to prevent root via the VMware vCenter VM console. Isn't authentication required to access that? Do you not trust the people who have access to your VMware environment? Servers I manage in a vSphere environment have root login locked out via SSH but allow it via the console in case we need to get in that way for some reason. The console can only be accessed by a few users and the vSphere environment only allows login from a few IP address ranges.
Edit: Do the servers have root login via SSH enabled? It is enabled on Red Hat 7 and CentOS 7 by default. That seems like something more to worry about than console access.
Last edited by arizonagroovejet; 04-03-2017 at 03:20 PM.
Reason: typo fix and bit about SSH.
Thank you for the link, arizonagroovejet. I believe that will achieve the desired results. Here are my responses to your questions.
Which distro are you using and which version? Oracle (Red Hat) Linux 6.5
If you disable root from any console, do you have another way to get root access on the machine in event of problems? Just console with a sudoer or if possible, SSH (also with a sudoer.)
I'm curious why you need to prevent root via the VMware vCenter VM console. Since we are a retailer, it is required in order to be SOX compliant. I posed the same exact concerns you did and was told that it is still a requirement.
Do the servers have root login via SSH enabled? It is enabled on Red Hat 7 and CentOS 7 by default. That seems like something more to worry about than console access. I have already denied root access via SSH.
Is Oracle Linux 6.5 still supported? I can't find that information online but since it's a downstream of Red Hat seems like it should be EOL for a couple of years or so.
Is Oracle Linux 6.5 still supported? I can't find that information online but since it's a downstream of Red Hat seems like it should be EOL for a couple of years or so.
Seems to me you should maybe control who has access to VMWare?
Just sayin'
Oh, we do indeed control who has access to vCenter, and the number of users is very small. Unfortunately, SOX auditing is not that cut and dry. I am pushing back on this item stating that control is managed through vCenter access, but if they reject our counter, we have to do what they say. SOX compliance drives company stock up or down based on scoring, so it's best to do as your told or the Board gets angry when that needle drops a half a tick.
I'm curious why you need to prevent root via the VMware vCenter VM console. Since we are a retailer, it is required in order to be SOX compliant. I posed the same exact concerns you did and was told that it is still a requirement.
Who told you disabling console access was a requirement? Did you actually hear it from a SOX Auditor? I've been in companies that have been audited to a number of standards (most recently PCI-DSS 3) and logins via a console have never been a problem as long as there are sufficient access controls and procedures as to who can get at the console. Anything that seems excessive, check with the actual auditor, not whichever middle-manager is driving the process.
Red Hat Enterprise Linux 6 has support until 2020. 6.5 does not. Presumably part of the SOX thing specifies that your OS must be supported by vendor though and if you are running an EOL version that will be flagged.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.