diff --git a/manifests/profile/base/securetty.pp b/manifests/profile/base/securetty.pp
new file mode 100644
index 000000000..a04c55975
--- /dev/null
+++ b/manifests/profile/base/securetty.pp
@@ -0,0 +1,46 @@
+# Copyright 2016 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::securetty
+#
+# Sets securetty Parameters
+#
+# === Parameters
+#
+# [*step*]
+#  (Optional) The current step in deployment. See tripleo-heat-templates
+#  for more details.
+#  Defaults to hiera('step')
+#
+# [*tty_list*]
+#  Hash of values for /etc/securetty console
+#  Defaults to hiera('securetty::tty_list')
+#
+class tripleo::profile::base::securetty (
+  $step = hiera('step'),
+  $tty_list = hiera('tty_list)', []),
+) {
+  if $step >=1 {
+    $ttys = join( $tty_list, "\n")
+
+    file { '/etc/securetty':
+      ensure  => file,
+      content => template( 'tripleo/securetty/securetty.erb' ),
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0600'
+    }
+  }
+}
diff --git a/releasenotes/notes/securetty-6a10eefd601e45ca.yaml b/releasenotes/notes/securetty-6a10eefd601e45ca.yaml
new file mode 100644
index 000000000..e5cfcf504
--- /dev/null
+++ b/releasenotes/notes/securetty-6a10eefd601e45ca.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Allows granular level of control over the `/etc/securetty` file.
+    By allowing operators to specify the values in securetty, they
+    can improve security by limiting root console access.
diff --git a/spec/classes/tripleo_profile_base_securetty_spec.rb b/spec/classes/tripleo_profile_base_securetty_spec.rb
new file mode 100644
index 000000000..c57d8beea
--- /dev/null
+++ b/spec/classes/tripleo_profile_base_securetty_spec.rb
@@ -0,0 +1,72 @@
+# Copyright 2017 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for tripleo::profile::base::securetty
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::securetty' do
+
+  shared_examples_for 'tripleo::profile::base::securetty' do
+
+    context 'with defaults step 1' do
+       let(:params) {{ :step => 1 }}
+       it { is_expected.to contain_class('tripleo::profile::base::securetty') }
+       it {
+         is_expected.to contain_file('/etc/securetty').with(
+           :content => ["# Managed by Puppet / TripleO Heat Templates",
+                        "# A list of TTYs, from which root can log in",
+                        "# see `man securetty` for reference",
+                        "",
+                        ""].join("\n"),
+           :owner => 'root',
+           :group => 'root',
+           :mode  => '0600')
+       }
+     end
+
+    context 'it should configure securtty' do
+      let(:params) {{
+        :step     => 1,
+        :tty_list => ['console', 'tty1', 'tty2', 'tty3', 'tty4', 'tty5', 'tty6']
+      }}
+
+      it 'should configure securetty values' do
+        is_expected.to contain_file('/etc/securetty').with(
+          :owner => 'root',
+          :group => 'root',
+          :mode  => '0600',
+          )
+          .with_content(/console/)
+          .with_content(/tty1/)
+          .with_content(/tty2/)
+          .with_content(/tty3/)
+          .with_content(/tty4/)
+          .with_content(/tty5/)
+          .with_content(/tty6/)
+      end
+    end
+  end
+
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let (:facts) {
+        facts
+      }
+      it_behaves_like 'tripleo::profile::base::securetty'
+    end
+  end
+end
diff --git a/templates/securetty/securetty.erb b/templates/securetty/securetty.erb
new file mode 100644
index 000000000..c8c7b9066
--- /dev/null
+++ b/templates/securetty/securetty.erb
@@ -0,0 +1,4 @@
+# Managed by Puppet / TripleO Heat Templates
+# A list of TTYs, from which root can log in
+# see `man securetty` for reference
+<%= @ttys %>