HPE Community
Operating System - HP-UX
1828389 Members
3322 Online
109977 Solutions
New Discussion

Boot Authentication

 
Gamaliel
Frequent Advisor

‎02-05-2009 10:20 AM

‎02-05-2009 10:20 AM

Boot Authentication

Hi Dudes,

I have an observation from an external auditory telling me to fix the exposure of our system from being booted by anyone with access to the site...

So, can anybody (that sounds like Fredy Mercury, right?) tell me if I mis something?

-First we had converted to trusted system
-Second I write this two lines to the /etc/default/security file:
BOOT_AUTH=1
BOOT_USERS=root,jsantana
-Third, from uncleSAM at Auditing and Security==>System Security Policies==>General User Account Policies--I set the option--[X] Require Login Upon Boot to Single-User State
-Finally also with SAM at Accounts for Users and Groups==>Users--the user--Actions==>Modify Security Policies==>General User Account Policies--i selected--Authorize User to Boot to Single-User State: [ Yes ->]

Tks.
0 Kudos
Reply
4 REPLIES 4
Court Campbell
Honored Contributor

‎02-05-2009 10:43 AM

‎02-05-2009 10:43 AM

Re: Boot Authentication

Technically anyone with access to the room that the server sits in can boot it. That's about as simple as turning the power button on. There is really nothing wrong with someone booting the machine. The issue is if they can boot into single user mode and change roots password.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎02-05-2009 08:20 PM

‎02-05-2009 08:20 PM

Re: Boot Authentication

> anyone with access to the site...

Hummm, do you mean somewhere in the building using a network connection, or access to the computer room? Outside the computer room, there is no possible way to for a user to interact with the computer unless you have connected the GSP (or MP, etc) to an outside network. The console LAN must never be routed outside the computer room. Access to the console is a big security issue.

Inside the computer room, there is no security. Every machine is wide open. The bad guy can pull out power plugs, put hubs in series with network cables, use a Blackberry to trace traffic or to plug into a console port, physically bypass a firewall, steal backup tapes, use flash drives to collect data, add a keyboard flash drive to collect keystrokes, and on and on. In other words, computer room security is much more important than any individual computer setup.

So your protection is fine but with the bad guys in the computer room, most everything is no longer secure.


Bill Hassell, sysadmin
0 Kudos
Reply
Gamaliel
Frequent Advisor

‎02-06-2009 11:25 AM

‎02-06-2009 11:25 AM

Re: Boot Authentication

Thanks for your comments, quite ilustrating, so look, this is the point.

The only console is on the site with security access... but i have this auditing observation, so i need to configure the system to doesn't allow an unauthorized boot of the system.
0 Kudos
Reply
Court Campbell
Honored Contributor

‎02-11-2009 07:01 AM

‎02-11-2009 07:01 AM

Re: Boot Authentication

> so i need to configure the system to doesn't allow an unauthorized boot of the system

The issue is that the statement is nonsense. If the server is in a secure room and only approved individuals have access to that room, then you have met the requirement. The only thing you can control is access to single user mode. Basically you are done, and your auditor is clueless.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.