- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: How can you set a password for Single-User mod...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2011 07:46 AM - edited 08-16-2011 08:01 AM
08-16-2011 07:46 AM - edited 08-16-2011 08:01 AM
A security audit has requested that a password must be set to boot a vPar into single-user mode. I'm sure there is a way but I could not find it.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2011 08:46 AM
08-16-2011 08:46 AM
Re: How can you set a password for Single-User mode for a vPar?
For a non-trusted system: /etc/default/security - BOOT_AUTH
For a trusted system: sam->Auditing and Security->System Security Policies->General User Account Policies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2011 08:53 AM
08-16-2011 08:53 AM
SolutionThough I have not tested it... this appears to be the answer:
The only way to require a login when booting into single-user mode is to set
the boot_authentication flag on a trusted system. If the system is not
trusted, this option is not available. If the system is trusted, this
option can be set using SAM.
The steps in SAM to configure this option are:
1. Start SAM
sam
2. Select "Auditing and Security"
3. Select "System Security Policies"
4. Select "General User Account Policies"
5. At the bottom of the dialog box there is a check box for "Require Login
Upon Boot to Single-User State". Check this box and exit SAM.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2011 11:06 AM
08-16-2011 11:06 AM
Re: How can you set a password for Single-User mode for a vPar?
I assume you have physical security of the machine?
And a password and a private LAN for the MP?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2011 05:29 AM
08-17-2011 05:29 AM
Re: How can you set a password for Single-User mode for a vPar?
And a precaution: Although setting a password for single user access may seem useful to an auditor's checklist, it can be disastrous for each system (vPar, nPar or simple server). There is no documented backdoor so if you lose the password, you'll have to reinstall. NOTE: a recent Ignite backup (after setting the single user password) is useless because the password is still in effect.
The only reason to use a single user password is because the HP-UX server or workistation is sitting out in an unattended area so that the janitor could walk by late at night and poke around. As long as the data center is locked and requires authorization for access, then your servers do not need a password. But as Dennis mentions, the GSP or MP port must have a password and most important, it should be connected to a private subnet without a router. Thyis subnet should also have all your appliances (network routers, SAN and LAN switches, firewalls, etc) connected for maintenance. None of these devices have adequate security (and alomost none of them will ever be enhanced to meet authentication minimums) so they must not be visible outside the computer room. A high security server serves as the (unrouted) bridge between sysadmins and the maintenance ports.
Bill Hassell, sysadmin