Super Advisor
Conversion from standard (not SMSE) mode to Trusted Mode

While "root-ing" around on one of our sandbox machines, I noticed that the /tcb/files/system/default had the following:

 

default:\
    :d_name=default:\
    :d_boot_authenticate@:\
    :u_pwd=*:\
    :u_owner=root:u_auditflag#-1:\
    :u_minchg#0:u_maxlen#8:u_exp#0:u_life#0:\
    :u_pw_expire_warning#0:u_pswduser=root:u_pickpw:u_genpwd:\
    :u_restrict@:u_nullpw@:u_genchars@:u_genletters:\
    :u_suclog#0:u_unsuclog#0:u_maxtries#3:u_lock:\
    :\
    :t_logdelay#2:t_maxtries#10:t_login_timeout#0:\
    :chkent:

There doesn't appear to be any means (via SMH/SAM) to change the "  :d_boot_authenticate@:\" entry to "  :d_boot_authenticate:\" in order to enforce boot authentication prior to boot into single user mode.

 

So, the question is this: Can these values only be changed with "vi", or is there a way to do this in SAM and I just didn't see it. I've always avoided manually modifiying these files, so I'd rather not instruct anyone working for me to do so either.

 

I'm beginning to think that the only way to ensure this happens is to set "BOOT_AUTH=1" in the /etc/default/security file prior to converting to Trusted Mode.

 

Anyone?

 

Thanks.