Operating System - HP-UX
1745846 Members
4315 Online
108723 Solutions
New Discussion

Conversion from standard (not SMSE) mode to Trusted Mode

 
SOLVED
Go to solution
john guardian
Super Advisor

Conversion from standard (not SMSE) mode to Trusted Mode

While "root-ing" around on one of our sandbox machines, I noticed that the /tcb/files/system/default had the following:

 

default:\
    :d_name=default:\
    :d_boot_authenticate@:\
    :u_pwd=*:\
    :u_owner=root:u_auditflag#-1:\
    :u_minchg#0:u_maxlen#8:u_exp#0:u_life#0:\
    :u_pw_expire_warning#0:u_pswduser=root:u_pickpw:u_genpwd:\
    :u_restrict@:u_nullpw@:u_genchars@:u_genletters:\
    :u_suclog#0:u_unsuclog#0:u_maxtries#3:u_lock:\
    :\
    :t_logdelay#2:t_maxtries#10:t_login_timeout#0:\
    :chkent:

There doesn't appear to be any means (via SMH/SAM) to change the "  :d_boot_authenticate@:\" entry to "  :d_boot_authenticate:\" in order to enforce boot authentication prior to boot into single user mode.

 

So, the question is this: Can these values only be changed with "vi", or is there a way to do this in SAM and I just didn't see it. I've always avoided manually modifiying these files, so I'd rather not instruct anyone working for me to do so either.

 

I'm beginning to think that the only way to ensure this happens is to set "BOOT_AUTH=1" in the /etc/default/security file prior to converting to Trusted Mode.

 

Anyone?

 

Thanks.

 

5 REPLIES 5
Patrick Wallek
Honored Contributor
Solution

Re: Conversion from standard (not SMSE) mode to Trusted Mode

It can be done via SAM:

 

Get into SAM

Go to "Auditing and Security"

then go to "System Security Policies"

then go to "General User Account Policies..."

There is a check box on that screen "Require Login Upon Boot to Single-User State"

 

Check that, then click OK to apply.

 

I personally think this is a very bad idea.  If you happen to lose your root password, one of the only ways to recover it (if you don't have something like 'sudo') is to boot into single-user mode.  But if you need the password to get there, you're kind of stuck.

john guardian
Super Advisor

Re: Conversion from standard (not SMSE) mode to Trusted Mode

Thanks for the info, I missed that.

 

While I cannot disagree with you on the loss of the root password, as a consultant, I move between several large Defense Dept commercial companies that must meet specific security req's for all computing services, not just HP-UX or "other" UNIX environments (Windows as well).

 

In some cases, root has been disabled and only users with su privileges or thru "other" means, can perform system maintenance. Insofar as the DoD is concerned, security comes first, and procedures are in place to ensure the lost password scenario does not occur (still does though).

 

So, not necessarily my POV either, but that's the policy of upper management.

 

Thanks again.

 

KathyL1
Valued Contributor

Re: Conversion from standard (not SMSE) mode to Trusted Mode

You can also use the undocumented commands 'getprdef' and 'modprdef' to view/modify Trusted Mode settings - see attached.

 

(The attachment also includes information on the 'getprw' and 'modprpw' commands that are used for displaying Trusted Mode user account settings)

Matti_Kurkela
Honored Contributor

Re: Conversion from standard (not SMSE) mode to Trusted Mode

> If you happen to lose your root password, one of the only ways to recover it (if you don't have something like 'sudo') is to boot into single-user mode.  But if you need the password to get there, you're kind of stuck.

 

 

Not exactly stuck: you can boot the system to recovery shell using either a HP-UX installation media or a Ignite-UX server.

The recovery shell can be inconvenient to use, but it is certainly capable of importing & activating vg00, mounting the root filesystem and changing the root password.

 

So, in my opinion, if physical and console access to the system is secured, requiring a password for single user mode does not really give you much in terms of additional security. But since you can authorize any user account to access the single user mode (not just the root account), it may be able to create an audit record of *who* exactly used the single user mode. That might be the main reason for the requirement. Of course, since network interfaces are not active when booting to single user mode, such an audit record will be purely local and thus not at all tamper-proof...

 

On the other hand, setting the firmware configuration password (whatever it is called) and then forgetting it would have the risk of making you stuck without access to your system, since it would stop you from giving the command to boot to single user mode. But historically, physical access to the system has usually allowed the firmware password to be bypassed. (On old HP-UX workstations, if Secure Boot is enabled and the password is lost, disconnecting all the disks, mouse & keyboard and then powering up the system would disable Secure Boot and allow access to the firmware configuration commands.)

MK
john guardian
Super Advisor

Re: Conversion from standard (not SMSE) mode to Trusted Mode

The below steps:

 

Go to "Auditing and Security"

then go to "System Security Policies"

then go to "General User Account Policies..."

There is a check box on that screen "Require Login Upon Boot to Single-User State"

 

Do not appear in my version of SAM? Not even close.

 

I type in SAM, SMH comes up in web-based mode. The only thing that can be changed that's even close is BOOT_AUTH in the security file. I'm looking for a means (other than manual editing) to change the TCB "default" file setting

 

FROM

 

default:\
:d_name=default:\
:d_boot_authenticate@:\
 
TO
 
default:\
:d_name=default:\
:d_boot_authenticate:\
 
NOTE the difference in the 3rd line (no "@" symbol).
 
Again, the assumption(s):
 
with ":d_boot_authenticate@:\", systemwide single user boot is disabled, but if a user named uzor is in the /tcb/files/auth/u/ path, AND his profile is set to ":u_bootauth:", this person can boot to single user mode.
 
Or, am I wrong and ":d_boot_authenticate@:\" in the "default" file cannot be overridden.