- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Conversion from standard (not SMSE) mode to Tr...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2013 11:50 AM
07-24-2013 11:50 AM
While "root-ing" around on one of our sandbox machines, I noticed that the /tcb/files/system/default had the following:
default:\
:d_name=default:\
:d_boot_authenticate@:\
:u_pwd=*:\
:u_owner=root:u_auditflag#-1:\
:u_minchg#0:u_maxlen#8:u_exp#0:u_life#0:\
:u_pw_expire_warning#0:u_pswduser=root:u_pickpw:u_genpwd:\
:u_restrict@:u_nullpw@:u_genchars@:u_genletters:\
:u_suclog#0:u_unsuclog#0:u_maxtries#3:u_lock:\
:\
:t_logdelay#2:t_maxtries#10:t_login_timeout#0:\
:chkent:
There doesn't appear to be any means (via SMH/SAM) to change the " :d_boot_authenticate@:\" entry to " :d_boot_authenticate:\" in order to enforce boot authentication prior to boot into single user mode.
So, the question is this: Can these values only be changed with "vi", or is there a way to do this in SAM and I just didn't see it. I've always avoided manually modifiying these files, so I'd rather not instruct anyone working for me to do so either.
I'm beginning to think that the only way to ensure this happens is to set "BOOT_AUTH=1" in the /etc/default/security file prior to converting to Trusted Mode.
Anyone?
Thanks.
Solved! Go to Solution.
- Tags:
- trusted mode
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2013 12:13 PM
07-24-2013 12:13 PM
SolutionIt can be done via SAM:
Get into SAM
Go to "Auditing and Security"
then go to "System Security Policies"
then go to "General User Account Policies..."
There is a check box on that screen "Require Login Upon Boot to Single-User State"
Check that, then click OK to apply.
I personally think this is a very bad idea. If you happen to lose your root password, one of the only ways to recover it (if you don't have something like 'sudo') is to boot into single-user mode. But if you need the password to get there, you're kind of stuck.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2013 03:50 AM
07-25-2013 03:50 AM
Re: Conversion from standard (not SMSE) mode to Trusted Mode
Thanks for the info, I missed that.
While I cannot disagree with you on the loss of the root password, as a consultant, I move between several large Defense Dept commercial companies that must meet specific security req's for all computing services, not just HP-UX or "other" UNIX environments (Windows as well).
In some cases, root has been disabled and only users with su privileges or thru "other" means, can perform system maintenance. Insofar as the DoD is concerned, security comes first, and procedures are in place to ensure the lost password scenario does not occur (still does though).
So, not necessarily my POV either, but that's the policy of upper management.
Thanks again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2013 10:06 PM
07-25-2013 10:06 PM
Re: Conversion from standard (not SMSE) mode to Trusted Mode
You can also use the undocumented commands 'getprdef' and 'modprdef' to view/modify Trusted Mode settings - see attached.
(The attachment also includes information on the 'getprw' and 'modprpw' commands that are used for displaying Trusted Mode user account settings)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2013 01:23 AM
07-26-2013 01:23 AM
Re: Conversion from standard (not SMSE) mode to Trusted Mode
> If you happen to lose your root password, one of the only ways to recover it (if you don't have something like 'sudo') is to boot into single-user mode. But if you need the password to get there, you're kind of stuck.
Not exactly stuck: you can boot the system to recovery shell using either a HP-UX installation media or a Ignite-UX server.
The recovery shell can be inconvenient to use, but it is certainly capable of importing & activating vg00, mounting the root filesystem and changing the root password.
So, in my opinion, if physical and console access to the system is secured, requiring a password for single user mode does not really give you much in terms of additional security. But since you can authorize any user account to access the single user mode (not just the root account), it may be able to create an audit record of *who* exactly used the single user mode. That might be the main reason for the requirement. Of course, since network interfaces are not active when booting to single user mode, such an audit record will be purely local and thus not at all tamper-proof...
On the other hand, setting the firmware configuration password (whatever it is called) and then forgetting it would have the risk of making you stuck without access to your system, since it would stop you from giving the command to boot to single user mode. But historically, physical access to the system has usually allowed the firmware password to be bypassed. (On old HP-UX workstations, if Secure Boot is enabled and the password is lost, disconnecting all the disks, mouse & keyboard and then powering up the system would disable Secure Boot and allow access to the firmware configuration commands.)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2013 10:26 AM - edited 07-29-2013 10:28 AM
07-29-2013 10:26 AM - edited 07-29-2013 10:28 AM
Re: Conversion from standard (not SMSE) mode to Trusted Mode
The below steps:
Go to "Auditing and Security"
then go to "System Security Policies"
then go to "General User Account Policies..."
There is a check box on that screen "Require Login Upon Boot to Single-User State"
Do not appear in my version of SAM? Not even close.
I type in SAM, SMH comes up in web-based mode. The only thing that can be changed that's even close is BOOT_AUTH in the security file. I'm looking for a means (other than manual editing) to change the TCB "default" file setting
FROM