Additional Resources - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 43. Securing Your Network
Warning
If the gdm, kdm, or xdm display manager configuration file has been altered to allow
remote users to log in and the host is configured to run at runlevel 5, it is advisable
to change the <console> and <xconsole> directives in the /etc/security/
console.perms to the following values:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :0\.[0-9] :0
<xconsole>=:0\.[0-9] :0
This prevents remote users from gaining access to devices and restricted applications on
the machine.
If the gdm, kdm, or xdm display manager configuration file has been altered to allow
remote users to log in and the host is configured to run at any multiple user runlevel
other than 5, it is advisable to remove the <xconsole> directive entirely and change the
<console> directive to the following value:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]*
43.4.7.2. Application Access
The console user also has access to certain programs configured for use in the /etc/security/
console.apps/ directory.
This directory contains configuration files which enable the console user to run certain applications in
/sbin and /usr/sbin.
These configuration files have the same name as the applications that they set up.
One notable group of applications that the console user has access to are three programs that shut
down or reboot the system:
• /sbin/halt
• /sbin/reboot
• /sbin/poweroff
Because these are PAM-aware applications, they call the pam_console.so module as a requirement
for use.
Section 43.4.8.1, "Installed Documentation"
Refer to

43.4.8. Additional Resources

The following resources further explain methods to use and configure PAM. In addition to these
resources, read the PAM configuration files on the system to better understand how they are
structured.
650
for more information.