- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Password Protect Single User Mode
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-30-2009 08:14 AM
тАО06-30-2009 08:14 AM
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-30-2009 08:20 AM
тАО06-30-2009 08:20 AM
SolutionLook at '/etc/default/security' in particular the 'BOOT_AUTH' and 'BOOT_Users' attributes.
http://docs.hp.com/en/B2355-60130/security.4.html
Regards!
...JRF...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-30-2009 08:46 AM
тАО06-30-2009 08:46 AM
Re: Password Protect Single User Mode
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-30-2009 08:59 AM
тАО06-30-2009 08:59 AM
Re: Password Protect Single User Mode
In a day like today, where remote console option are quite prolific, console only direct access to root account policies are coming short of satisfying the requirement of being on-site with physical access to the server. When you are forced to insert a media to break into your own system, it is an added leel of security. But after all, someone will need some way of accessing this server and in the ultimate end, security department will need to trust at least ONE admin. And needless to say, nothing is 100% secure, but adding another level of complexity to the breaking into the system makes it more difficult to be broken in, should a mishap takes place and an unauthorized person gains access into some level of secured perimeter.
When it comes to security, at some point, you need to take your logical hat off, I came to realize and not to fight, by questioning the authority. If they want to feel safe under a false sense of security, let it be. You will be much happier.
UNIX because I majored in cryptology...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-30-2009 09:04 AM
тАО06-30-2009 09:04 AM
Re: Password Protect Single User Mode
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-30-2009 09:08 AM
тАО06-30-2009 09:08 AM
Re: Password Protect Single User Mode
Password protecting single user mode is a bad ideas:
pro: It improves security and stops unauthorized users from changing the root password.
con: Single user mode is a necessary method for regaining control of a system when the root password has been forgotten, or reset by an operator without documentation.
Remote console devices themselves can be protected well enough to not require single user mode being protected.
Modern servers with ilo cards have ssl protection to their web interface, and can use the root password to prevent unauthorized reboot.
Single user mode is a very useful tool that can be protected adequately IMO.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-30-2009 09:24 AM
тАО06-30-2009 09:24 AM
Re: Password Protect Single User Mode
Modern servers with ilo cards have ssl protection to their web interface, and can use the root password to prevent unauthorized reboot.
IMO?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-30-2009 09:46 AM
тАО06-30-2009 09:46 AM
Re: Password Protect Single User Mode
Security auditors view security as an onion, with each layer making a system more secure. Following that point of view, it does make sense to lock down SUM. But as you figured out, any attacker who manages to gain access to your console, be it on site or remotely, can easily circumvent a locked down SUM by booting off any OS he/she desires out of a DVD or even using your Ignite server! It can take as few as 10 minutes for someone who's prepared and knows what he/she's doing.
Restricting your iLOs/MPs in a locked-down network, and providing access to them only through a box from which you can use SSH redirection, is a much better "onion layer" from my point of view than locking down SUM. Yet, experience has showed me that security auditors often don't consider what measures might already be in place for a particular security issue, and if they decided that SUM must be locked down, no matter what you do to protect your console, than you as an admin have no choice of doing it.
Hey, who knows, even if you don't have a networked MP, an attacker might be able to use a laser to poke the pins of your serial ports behind your server to hack it, from across the street, using an expensive network mirrors left in place by blue-lens-glassed 19-year old nerd who posed as an HVAC contractor last week.
So would I do it? Not unless I'm forced to. But I'd do it, no problem, under one condition: any production system that gets its SUM locked out must absolutely be in a ServiceGuard cluster. If a goof happens with the root password, I can least failover the application and reinstall the affected node without too much interruption. Without ServiceGuard, we're talking about a complete reinstallation if something goes south.
My two cents
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-01-2009 03:23 PM
тАО07-01-2009 03:23 PM