HPE Community
Operating System - HP-UX
1753758 Members
4805 Online
108799 Solutions
New Discussion

Re: How can you set a password for Single-User mode for a vPar?

 
SOLVED
Go to solution
Paul F. Bennett
Advisor

‎08-16-2011 07:46 AM - edited ‎08-16-2011 08:01 AM

‎08-16-2011 07:46 AM - edited ‎08-16-2011 08:01 AM

How can you set a password for Single-User mode for a vPar?

A security audit has requested that a password must be set to boot a vPar into single-user mode. I'm sure there is a way but I could not find it.

0 Kudos
Reply
4 REPLIES 4
Earl_Crowder
Trusted Contributor

‎08-16-2011 08:46 AM

‎08-16-2011 08:46 AM

Re: How can you set a password for Single-User mode for a vPar?

 

 

For a non-trusted system:  /etc/default/security - BOOT_AUTH

 

For a trusted system:  sam->Auditing and Security->System Security Policies->General User Account Policies

Reply
Paul F. Bennett
Advisor

‎08-16-2011 08:53 AM

‎08-16-2011 08:53 AM

Solution

Re: How can you set a password for Single-User mode for a vPar?

Though I have not tested it... this appears to be the answer:

 

The only way to require a login when booting into single-user mode is to set
the boot_authentication flag on a trusted system.  If the system is not
trusted, this option is not available.  If the system is trusted, this
option can be set using SAM.

The steps in SAM to configure this option are:

1.  Start SAM

    sam

2.  Select "Auditing and Security"

3.  Select "System Security Policies"

4.  Select "General User Account Policies"

5.  At the bottom of the dialog box there is a check box for "Require Login
    Upon Boot to Single-User State".  Check this box and exit SAM.

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎08-16-2011 11:06 AM

‎08-16-2011 11:06 AM

Re: How can you set a password for Single-User mode for a vPar?

I assume you have physical security of the machine?

And a password and a private LAN for the MP?

0 Kudos
Reply
Bill Hassell
Honored Contributor

‎08-17-2011 05:29 AM

‎08-17-2011 05:29 AM

Re: How can you set a password for Single-User mode for a vPar?

And a precaution: Although setting a password for single user access may seem useful to an auditor's checklist, it can be disastrous for each system (vPar, nPar or simple server). There is no documented backdoor so if you lose the password, you'll have to reinstall. NOTE: a recent Ignite backup (after setting the single user password) is useless because the password is still in effect.

 

The only reason to use a single user password is because the HP-UX server or workistation is sitting out in an unattended area so that the janitor could walk by late at night and poke around. As long as the data center is locked and requires authorization for access, then your servers do not need a password. But as Dennis mentions, the GSP or MP port must have a password and most important, it should be connected to a private subnet without a router. Thyis subnet should also have all your appliances (network routers, SAN and LAN switches, firewalls, etc) connected for maintenance. None of these devices have adequate security (and alomost none of them will ever be enhanced to meet authentication minimums) so they must not be visible outside the computer room. A high security server serves as the (unrouted) bridge between sysadmins and the maintenance ports.



Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.