HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
cancel
Showing results for 
Search instead for 
Did you mean: 

Boot Authentication

 
Gamaliel
Frequent Advisor

Boot Authentication

Hi Dudes,

I have an observation from an external auditory telling me to fix the exposure of our system from being booted by anyone with access to the site...

So, can anybody (that sounds like Fredy Mercury, right?) tell me if I mis something?

-First we had converted to trusted system
-Second I write this two lines to the /etc/default/security file:
BOOT_AUTH=1
BOOT_USERS=root,jsantana
-Third, from uncleSAM at Auditing and Security==>System Security Policies==>General User Account Policies--I set the option--[X] Require Login Upon Boot to Single-User State
-Finally also with SAM at Accounts for Users and Groups==>Users--the user--Actions==>Modify Security Policies==>General User Account Policies--i selected--Authorize User to Boot to Single-User State: [ Yes ->]

Tks.
4 REPLIES
Court Campbell
Honored Contributor

Re: Boot Authentication

Technically anyone with access to the room that the server sits in can boot it. That's about as simple as turning the power button on. There is really nothing wrong with someone booting the machine. The issue is if they can boot into single user mode and change roots password.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
Bill Hassell
Honored Contributor

Re: Boot Authentication

> anyone with access to the site...

Hummm, do you mean somewhere in the building using a network connection, or access to the computer room? Outside the computer room, there is no possible way to for a user to interact with the computer unless you have connected the GSP (or MP, etc) to an outside network. The console LAN must never be routed outside the computer room. Access to the console is a big security issue.

Inside the computer room, there is no security. Every machine is wide open. The bad guy can pull out power plugs, put hubs in series with network cables, use a Blackberry to trace traffic or to plug into a console port, physically bypass a firewall, steal backup tapes, use flash drives to collect data, add a keyboard flash drive to collect keystrokes, and on and on. In other words, computer room security is much more important than any individual computer setup.

So your protection is fine but with the bad guys in the computer room, most everything is no longer secure.


Bill Hassell, sysadmin
Gamaliel
Frequent Advisor

Re: Boot Authentication

Thanks for your comments, quite ilustrating, so look, this is the point.

The only console is on the site with security access... but i have this auditing observation, so i need to configure the system to doesn't allow an unauthorized boot of the system.
Court Campbell
Honored Contributor

Re: Boot Authentication

> so i need to configure the system to doesn't allow an unauthorized boot of the system

The issue is that the statement is nonsense. If the server is in a secure room and only approved individuals have access to that room, then you have met the requirement. The only thing you can control is access to single user mode. Basically you are done, and your auditor is clueless.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"