Added: 04/02/01

For a terminal console
======================
If the /etc/securetty file is present, login security is in effect.
User root is only allowed to log in successfully on the ttys listed in
this file.  Restricted ttys are listed by device name, one per line.
Valid tty names are dependent on the installation.  So to restrict root
logins to only the console:

  # echo console >/etc/securetty

The use of /etc/securetty is documented in login(1).

For a CDE console
=================
Create a file named 'nologin' in /etc/:

  # >/etc/nologin

Then add something like this to your /etc/dt/config/Xstartup file:

   if pwget -n "$USER" | awk -F: '{exit !($3 == 0)}'; then
      if [ -f /etc/nologin ] || \
         grep '^console$' /etc/securetty >/dev/null 2>&1; then
         echo "[$(date)] non-root login attempt from CDE console -" \
              "access denied" >>/var/adm/console_login_attempts_log
         exit 1
      fi
   fi

See dtlogin(1) for a detailed description of the Xstartup file.