The Root Account

The root account has access to everything on your system. This is why Obscurix locks it down as much as possible. Note that these measures do nothing to protect against root exploits.

If root is needed to perform some system commands, use the rootpw boot parameter. See Usage for more details.


/etc/securetty tells the system where root is allowed to log into. This file is empty in Obscurix to prevent someone from logging in as root from a tty.

Restricted Su

Su is a command which allows you to change user. By default, it tries to change to the root user. Obscurix restricts the usage of su to only users within the wheel group. This prevents malware from attempting to use su to gain root. The user is not within the wheel group.

Locked Root Account

The root account is locked with passwd -l root. This makes it impossible to login to the root account.


The pam_faildelay PAM module is enabled and configured to have a delay of 5 seconds between failed login attempts. This is useful to stall password bruteforcing attempts when using the rootpw boot parameter.