Re: Trusted System? Help!

Ted Flanders_1 · ‎09-08-2000

I dont know much about a trusted system, but I have been told that it will make my system more secure. I have a test box, E25, on the system and wanted to try and make it a trusted system but I am not sure what happens when you do this. So I havent tried it yet. Will I still be able to access my test box if I make it a trusted system? Can someone point me to some info on exactly what a trusted system is? Any help would be appreciated. How do I know if my live box is a trusted system?

CHRIS ANORUO · ‎09-08-2000

YOu find it easy configuring from SAM. See this documentation http://www.docs.hp.com/dynaweb/hpux10/inssen0a/b677/@Generic__BookView

When We Seek To Discover The Best In Others, We Somehow Bring Out The Best In Ourselves.

Neale Machin · ‎09-08-2000

There is a lot of useful info on The HP instant info CD (Using HP-UX section).

I've never set up a trusted system but I have used one. Its very handy for auditing access and commands but you have to be wary of how much you want to audit . Also auto password generation is a scream if you like getting calls from your users

Just cos I look after Unix Boxes doesnt mean I wear sandals

Thomas Schler_1 · ‎09-08-2000

You will be able to access the test box after making a trusted system. Characteristices of a trusted system are:

-) /etc/passwd will no longer show up the encoded passwords. They are all replaced by '*'.

-) /tcb will be created. This directory is only readable by root. It contains information on each user on the system, beside others encoded passwords are put in here.

-) SAM provides a variety of system security policies. You have control on how a new user can choose a password or if a new user will get a system-created password. You can enable password aging policies (and controlling them).

-) You can de-activate and re-activate user accounts. That's different from removing or re-creating user accounts.

-) User accounts will be de-activated automatically, if the user performs several unsuccessful logins. Root can choose how many unsuccessful logins are allowed.

-) User accounts will be de-activated automatically, if the user account is inactive for a period of time. Root can choose how many days of inactivity.

-) When a new user logins the first time he needs an authorization number. After that he has to set his password first before entering any other command. The authorization number is given to root by SAM.

-) Root is not allowed to choose very simple passwords like 'a' or something like that.

If you change to a trusted system it may happen that some users can no longer login. The cause is often quite simple: Untrusted systems use by default the first 8 characters of a password. When you change to a trusted system root can choose how many characters of a password are considered. If root changes the default of 8 characters, users may have to reset their passwords (using authorization numbers).

The trusted system gives root the possibility to increase security. Root is free to choose what level of higher security he wants to have. Security policies are easily set within SAM.

If you have converted to a trusted system and want to go back to the untrusted system by any reason, this is quite simple:
1) Enter SAM.
2) Go to "Auditing and Security".
3) Go to "Audited Events."
4) Choose "Action" --> "Unconvert the system."

(You are not able to perform step 3 on a untrusted system.)

To figure out if you are on a trusted system the /tcb directory should exist and /etc/passwd should not show up encoded passwords.

I am using trusted systems without problems. I also created a trusted system and unconverted it without any problem.

Trusted systems make use of different login procedures by local or remote users. This is also the case for imap or pop3 which are used to copy mailboxes from a mail server to PC or Mac clients. If you want to convert your mail server to a trusted system you should make use of the security enhancements provided by pop3 (or maybe by imap). The alternative is to use the trusted system as the outgoing mail server (that's no problem) and any other untrusted system as the incoming mail server (by mounting /var/mail of the trusted system).

NFS mounts work as before.

That's a little introduction. I hope, it helps to decide to convert or not. I recommend to convert to a trusted system. You do not have to read many documentations. SAM gives you enough on-line help, it is self-explanatory.

no users -- no problems

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Trusted System? Help!

Trusted System? Help!