General
cancel
Showing results for 
Search instead for 
Did you mean: 

How can you set a password for Single-User mode for a vPar?

 
SOLVED
Go to solution

How can you set a password for Single-User mode for a vPar?

A security audit has requested that a password must be set to boot a vPar into single-user mode. I'm sure there is a way but I could not find it.

4 REPLIES 4
Earl_Crowder
Trusted Contributor

Re: How can you set a password for Single-User mode for a vPar?

 

 

For a non-trusted system:  /etc/default/security - BOOT_AUTH

 

For a trusted system:  sam->Auditing and Security->System Security Policies->General User Account Policies

Solution

Re: How can you set a password for Single-User mode for a vPar?

Though I have not tested it... this appears to be the answer:

 

The only way to require a login when booting into single-user mode is to set
the boot_authentication flag on a trusted system.  If the system is not
trusted, this option is not available.  If the system is trusted, this
option can be set using SAM.

The steps in SAM to configure this option are:

1.  Start SAM

    sam

2.  Select "Auditing and Security"

3.  Select "System Security Policies"

4.  Select "General User Account Policies"

5.  At the bottom of the dialog box there is a check box for "Require Login
    Upon Boot to Single-User State".  Check this box and exit SAM.

Dennis Handly
Acclaimed Contributor

Re: How can you set a password for Single-User mode for a vPar?

I assume you have physical security of the machine?

And a password and a private LAN for the MP?

Bill Hassell
Honored Contributor

Re: How can you set a password for Single-User mode for a vPar?

And a precaution: Although setting a password for single user access may seem useful to an auditor's checklist, it can be disastrous for each system (vPar, nPar or simple server). There is no documented backdoor so if you lose the password, you'll have to reinstall. NOTE: a recent Ignite backup (after setting the single user password) is useless because the password is still in effect.

 

The only reason to use a single user password is because the HP-UX server or workistation is sitting out in an unattended area so that the janitor could walk by late at night and poke around. As long as the data center is locked and requires authorization for access, then your servers do not need a password. But as Dennis mentions, the GSP or MP port must have a password and most important, it should be connected to a private subnet without a router. Thyis subnet should also have all your appliances (network routers, SAN and LAN switches, firewalls, etc) connected for maintenance. None of these devices have adequate security (and alomost none of them will ever be enhanced to meet authentication minimums) so they must not be visible outside the computer room. A high security server serves as the (unrouted) bridge between sysadmins and the maintenance ports.



Bill Hassell, sysadmin