Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
21222324252627282930
are altered incorrectly or maliciously before the reboot, the system can have problems
during and after the reboot. Therefore, perform these preventative tasks:
Make sure the system and system console are physically secure and that only
authorized users have access.
Enable the boot authentication feature to allow only specified users to boot the
system to single user mode. See Section 1.4.
Make sure system files are write protected; some might need to be read protected.
Following is a summary of the boot sequence that occurs when you turn on or reset the
computer. See HP-UX System Administrator's Guide: Routine Management Tasks for more
information on the boot sequence.
1. During booting, there is about a 10-second wait that allows you to override the
automatic boot sequence. At this point, an intruder can interrupt the boot sequence
and enter the system.
You can gain root access when you interrupt the boot sequence by pressing any
key. The ISL prompts you for a command. Entering the following command causes
the system to be in single-user mode:
ISL> hpux -is
If you are not using boot authentication, a user can then log in as root with no
password.
Boot authentication allows only specified users to log in as root.
2. If the boot sequence is not interrupted, the initialization process continues.
3. HP-UX goes through its initialization process and begins normal operation, ready
for login. At this point another security breach can occur if an intruder has already
gained root access.
If an intruder interrupts the boot process, they have gained root access to the system and
theoretically own the system. This ownership allows them to make changes to the system
through a great number of mechanisms.
1.3 Enable Login Security for root
Many network protocols such as rlogind and telnetd do not encrypt network
communication, making it easy for an intruder to sniff the administrative passwords from
the network. Try to minimize the usage of these nonsecure protocols.
To prevent an administrative login through such a protocol, you can use the /etc/
securetty file to limit logging in to the root account only through the system console.
For instance, to restrict root logins to only the console, create the/etc/security file
with a single line consisting of console. For more information, see login(1).
24 Installing the HP-UX Operating Environment Securely