topic Re: Trusted Systems in Operating System - HP-UX

Trusted Systems

Troy E. Miles — Thu, 30 Oct 2003 08:47:07 GMT

I'm running HP-UX 11.11 as a Trusted System and I am experiencing the following problem:

I set my default security policies through SAM for password minimum time (7 days) and password expiration warning (30 days), but when I run getprpw against accounts they report -1 for both settings. When I use modprpw I can change the values.

Am I missing something?

Re: Trusted Systems

Brian Bergstrand — Thu, 30 Oct 2003 08:50:19 GMT

The system defaults are stored in a separate system file, not in each users file. The -1 represents the default, which is referenced from the system file. You can use modprpw to override the default for any specific user.

HTH.

Re: Trusted Systems

Brian Bergstrand — Thu, 30 Oct 2003 08:54:27 GMT

The system file is:

/tcb/files/auth/system

Forgot to mention that.

You can use getprdef and modprdef to view/modify these settings (or SAM).

Re: Trusted Systems

Troy E. Miles — Thu, 30 Oct 2003 10:03:50 GMT

Brian,

I don't think they are syncing. I set defaults through SAM, but they are not propagating to users and user accounts are set to use defaults, but that's not happening.

Re: Trusted Systems

Umapathy S — Thu, 30 Oct 2003 10:10:03 GMT

Troy,
Can you cut&paste the commands from /var/sam/log/samlog which sam has executed.

May be that can shed some light on this.

HTH,
Umapathy

Re: Trusted Systems

Brian Bergstrand — Thu, 30 Oct 2003 10:19:06 GMT

The defaults don't "propogate", you will never see default values in a specific user's profile using the the *prpw commands. You will always see the default placeholder of -1. SAM does the same thing I belive. The only time you will see a value in a specific user's profile is if you override the defaults for that user. Even though you can't see them for each user, the system will enforce the defaults.

Maybe I'm not understanding your problem though.

HTH.

Re: Trusted Systems

Troy E. Miles — Thu, 30 Oct 2003 10:23:09 GMT

Brian,

I understand you'll never see them in a user's profile, but when I run getprpw against a user's account it returns the -1 placeholder. Other than running modprpw on the individual accounts, how am I to affect a global change.

Re: Trusted Systems

Brian Bergstrand — Thu, 30 Oct 2003 10:33:29 GMT

You set the global defaults with modprdef or with SAM -> Auditing and Security -> System Security Policies. These are the only ways to modify the globals, going through SAM -> Users or using modprpw only modifies a single user. (BTW, SAM uses modprdef to do the actual work).

I've attached the man pages for the *prpw and the *prdef commands too.

HTH.

Re: Trusted Systems

Troy E. Miles — Thu, 30 Oct 2003 10:39:00 GMT

Brian,

Thanks for the help. I didn't digest all of your response properly. The problem I have is my company runs a security check script that uses getprpw. Since, getprpw returns the placeholder (-1) and not the system default setting, the script returns an error saying password aging is not properly configured.

I'll have to pass this information on to them.

Thanks again.

Re: Trusted Systems

Brian Bergstrand — Thu, 30 Oct 2003 10:52:07 GMT

I see. You'll have to modify the script to query the system defaults with getprdef, then if getprpw returns -1, replace the -1 with the default value. This will then show the correct value for any user who is using the default. If getprpw doesn't return -1, then the default has been overridden by the user specific value, and no replacement will be necessary.

The man pages I attached in the previous post will explain how to use getprdef.

HTH.