topic sulogin in Operating System - HP-UX

sulogin

Marvyn Torres — Thu, 30 May 2002 09:12:27 GMT

Is there/and where is the sulogin file located in a HP Unix system??

Can it be used to prompt for a password when entering the system maintenance or single user mode??

Re: sulogin

Stefan Farrelly — Thu, 30 May 2002 09:16:07 GMT

/var/adm/sulog

and no, you cant prompt for a password if someone boots in lvm maintenance mode or single user mode. Dont leave the key in service mode on the server and then nobody can boot in single user mode or maintenance mode without the key!

Re: sulogin

Steve Steel — Thu, 30 May 2002 09:18:06 GMT

Hi

trusted would be best solution.

convert to a trusted system :
Within SAM you can set up the system security policies so that a
login is required when booting the system to single user.
This can be enabled as follows:
SAM --> Auditing and Security --> System security Policies -->
General User Account Policies : enable "Require login upon boot
to single user state"
The root account by default will have authority to boot the
system to single user.
You can then authorise a particular user to boot to single user
SAM --> Accounts For Users and Groups --> select the user --->
Modify Users Security Policy --> General User Account Policies
and enable " Authorize user to Boot to single-User state" .

The "Boot authentication prompt " is displayed if the "Require
login Upon Boot to single user state" is enabled and the system
is booted to single user.

steve Steel

Re: sulogin

Marvyn Torres — Thu, 30 May 2002 09:58:31 GMT

Steve,

Clarification please.

Does your solution mean that the root account will also be prompted for a password when entering single user mode??

Re: sulogin

Peter Kloetgen — Thu, 30 May 2002 10:10:01 GMT

Hi Marvin,

first of all to say: As all the others allready said, change to a trusted system!

To give the answer to your question: YES, then even root is prompted for a password when booting into single user mode. Only possibility to get into the system then is to use installation CD- ROM and remount the file systems to get in write- mode and then remove root password from tcb- directory.

Please don't forget also to secure your web console. (If you have a computer which has one...) Go into service processor mode and enter HE or LI at prompt to find information which commands you need to activate.

Allways stay on the bright side of life!

Peter

Re: sulogin

Steve Steel — Thu, 30 May 2002 10:12:47 GMT

Hi

peter got it in one.

If you want security then apply it by making the system trusted.

steve Steel

Re: sulogin

Marvyn Torres — Thu, 30 May 2002 23:58:37 GMT

How do you go about checking (discreetly - so as not to appear stupid among peers -hehe)if a system is trusted??

Re: sulogin

James R. Ferguson — Fri, 31 May 2002 00:27:53 GMT

Hi Marvyn:

A trusted system will have a protected password file: '/tcb/files/auth/'.

A trusted system (most visibly) displays the message "last successful/unsuccessful login..." upon user logon. This is a dead-give-away of a trusted server.

Regards!

...JRF...

Re: sulogin

Steven Sim Kok Leong — Fri, 31 May 2002 00:33:37 GMT

Hi,

1) This is the direct approach (definitive and quickest):

# /etc/tsconvert
System has already been converted.

If your system has already been converted, tsconvert will show the status by printing the message stating that your system has already been converted.

Other methods include:

2) Not surest method but one of the quickest methods:

# ll -d /tcb

Check for /tcb existence. /tcb is created upon conversion.

3) One definitive way (one long method):

The definitive way (this is just one way) is to check it from SAM:

SAM
-> Audit and Security
-> Audited Events

If your system is not trusted, you will see a popup dialog saying that your system is not trusted, and ask you whether you wish to convert it to trusted.

Once trusted, under "Actions",
you will notice the option to: "Unconvert the system"

Hope this helps. Regards.

Steven Sim Kok Leong