topic Re: Enable Trusted Mode - HP-UX in Operating System - HP-UX

Enable Trusted Mode - HP-UX

Karthik S S — Fri, 30 Apr 2004 08:10:06 GMT

Hi,

I need help in setting up one of the hp-ux box as trusted system. This is really very urgent and not in a position to do a RTFM :-(.

I want to,
1. Enable file level auditing (need step by step details)
2. Should be able to monitor usage of root previleged commands
3. Needs to understand if enabling trusted mode affects the existing configuration. What are all the things that needs to be taken in to consideration before enabling trusted mode.
4. Will the exisiting users be affected by this operation?

Any help will be greately appriciated.

Thanks in advance,
Karthik S S

Re: Enable Trusted Mode - HP-UX

RAC_1 — Fri, 30 Apr 2004 08:19:31 GMT

1. Turn on the audiing once system is converted to trusted mode. Audit events that relate to file deletion modification. man audisp.

audisp -e "eventname" -u "user_name"

For file related things you can monitor delete, modaccess events.

2. Monitoring usage of root previled commands. Do you plan to use sudo and give root access for few thinhgs to user? Then sudo will log everything in syslog.log.
Other than this .sh_history file of root.

3. No effects. Should affect only those applications which do not understand C2 level. IF thay want to access it, they should make appropriate sys calls to get password details.

4. All accounts will be expired when you convert to trusted mode. Aviod that.
/usr/lbin/modprpw -V

Hope this helps.

Anil

Re: Enable Trusted Mode - HP-UX

Darren Prior — Fri, 30 Apr 2004 08:21:57 GMT

Hi,

Phew - that's a fair bit of information that you need!

Before you trust the system you must check whether all your 3rd party software supports trusted system. There was a query here a day or so back where someone had an application that stopped working when the system was trusted. They were lucky, in that the software supplier already had a patch for their application, but there are a number of software applications that just won't work in a trusted environment.

The supported method to trust a system is via SAM. You can also configure auditing through SAM. You will need to consider how large to make the audit files, how you will archive them and exactly what you hope to achieve from auditing.

Depending on your OS, password ageing and length some users may have problems after you've trusted the system. Even though you say this is urgent, I'd urge you to read the notes on trusting your system and the auditing man pages.

regards,

Darren.

Re: Enable Trusted Mode - HP-UX

Karthik S S — Fri, 30 Apr 2004 08:22:25 GMT

Thank you Anil.

But how do I enable Trusted mode? Just by running tsconvert? Or are there any steps involved with that??

Will all the existing users be prompted to change their password?

-Karthik S S

Re: Enable Trusted Mode - HP-UX

Karthik S S — Fri, 30 Apr 2004 08:25:38 GMT

After turning on the trusted mode if we face any issues, can we revert back to original configuartion without any problems??

-Karthik S S

Re: Enable Trusted Mode - HP-UX

RAC_1 — Fri, 30 Apr 2004 08:29:12 GMT

You can convert to trusted mode from SAM or on command line.

command line- /etc/tsconvert -c

Yes all accounts will expire and will be prompted for new password. So immediatley after you do /etc/tsconvert -c, do
/usr/lbin/modprpw -V

Rather do
/etc/tsconver -c;/usr/lbin/modprpw -V

Anil

Re: Enable Trusted Mode - HP-UX

Karthik S S — Fri, 30 Apr 2004 08:35:13 GMT

What does "/usr/lbin/modprpw -V" do? Does it allow the users to keep their existing password??

-Karthik S S

Re: Enable Trusted Mode - HP-UX

Hazem Mahmoud_3 — Fri, 30 Apr 2004 08:36:25 GMT

1 & 2. Powerbroker would be your most practical and system-efficient solution. www.symark.com. Obviously that's not a quick solution, but do consider it.
3. /etc/tsconvert, and make sure to reset the root password before you leave that prompt.
4. The existing users were not affected on my system when I ran tsconvert. But it is possible they would get affected, as well as root. All you would care about is the root account, so just make sure you reset that password to whatever it was.

HTH

-Hazem

Re: Enable Trusted Mode - HP-UX

Tapas Jha — Fri, 30 Apr 2004 08:36:48 GMT

Hi,

Yes, you can revert back to untrusted mode.
Before going to trsuted mode please check the minimum patches needed. In anyway, i hope you know how to convert back .
This is the one: /usr/lbin/tsconvert -r

To Verify ehethere system is in normal mode or not check that the /etc/passwd file is returned to normal ( without '*' in 2nd column)
Check that the /tcb directory does not exist.

Rgds
Tapas

Re: Enable Trusted Mode - HP-UX

Hazem Mahmoud_3 — Fri, 30 Apr 2004 08:37:31 GMT

-V This option is specified WITHOUT a user name to
"validate/refresh" all user's passwords. It goes through the
protected password database and sets the successful change time
to the current time for all users. The result is that all user's

Re: Enable Trusted Mode - HP-UX

Hazem Mahmoud_3 — Fri, 30 Apr 2004 08:38:56 GMT

apparently there was more in the man page:)

password aging restarts at the current time.

May be combined with one of -l or -n options.

No points please!

-Hazem

Re: Enable Trusted Mode - HP-UX

RAC_1 — Fri, 30 Apr 2004 08:44:45 GMT

man modprpw
man modprdef
man getprpw
man getprdef

Anil

Re: Enable Trusted Mode - HP-UX

Darren Prior — Fri, 30 Apr 2004 08:47:26 GMT

Just a quick FYI: Please note that the only HP supported way to trust/untrust a system is to use SAM. Using tsconvert on its' own is not supported!

regards,

Darren.

Re: Enable Trusted Mode - HP-UX

Karthik S S — Fri, 30 Apr 2004 08:51:40 GMT

Thak you all .. I will get back to incase I have any trouble setting it up.

Thanks again

Karthik S S

Re: Enable Trusted Mode - HP-UX

Hemanth Gurunath Basrur — Fri, 30 Apr 2004 13:10:52 GMT

Hello Karthik,

Refer to this doc for more information.

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90121/B2355-90121_top.html&con=/hpux/onlinedocs/B2355-90121/00/00/8-con.html&toc=/hpux/onlinedocs/B2355-90121/00/00/8-toc.html&searchterms=trusted%7cmode%7cenable&queryid=20040430-120719

HTH.

Regards,
Hemanth

Re: Enable Trusted Mode - HP-UX

Sundar_7 — Fri, 30 Apr 2004 13:34:38 GMT

Hi Karthik,

You got answers for all of your questions above. /etc/tsconvert can be used to convert/uncovet the system. But as mentioned SAM is the supported way of doing it.

Trusted mode commands (getpr*, modpr*) are not documented in 11.0

If you have 11i then you can do a man on modprpw, getprpw and other modpr*, getpr* commands to better understand

Sundar

Re: Enable Trusted Mode - HP-UX

Karthik S S — Mon, 03 May 2004 04:06:58 GMT

Thank you all .. auditing is working fine. But not as I expected. I am able to monitor creation and deletion of objects. But how do I determine if a file is modified. For instance if userA edits a file by name testfile, I should be able to track what are all the changes made by him to that file.

Pl. help

These are the list of audited events I enabled from SAM. DO I need to enable any other event in order to track the changes made to a file??
â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â
admin Yes Yes acct, adjtime, audctl, audswitch, clock_
close No No close, ksem_close, mq_close, munmap
create Yes Yes creat, mkdir, mknod, msgget, pipe, pset_
delete Yes Yes ksem_unlink, mq_unlink, msgctl, pset_des
ipcclose No No fdetach, shutdown
ipccreat No No bind, socket, socket2, socketpair, socke
ipcdgram No No
ipcopen No No accept, connect, fattach
login Yes Yes
modaccess Yes Yes chdir, chroot, fchdir, link, lockf, lock
moddac Yes Yes acl, chmod, chown, fchmod, fchown, fseta â
open No No execv, execve, ftruncate, ftruncate64, k â
process No No exit, fork, kill, mlock, mlockall, munlo â
readdac No No access, fstat, fstat64, getaccess, lstat â
removable No No exportfs, mount, umount, vfsmount â
uevent1 No No
uevent2 No No
uevent3 No No
--------------------------------

Also audisp doesn't display the full path of the file that is touched by the user. For instance if the user "sysadm" create a file by name testfile under "/home/sysadm", audisp displays only "testfile" but not the full path ..

audisp -u sysadm /.secure/etc/audfile1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~
040503 04:47:59 3982 S 8 3741 11 9000 20 9000
20 pts/td
[ Event=creat; User=sysadm; Real Grp=users; Eff.Grp=users; ]

RETURN_VALUE 1 = 5;
PARAM #1 (file path) = 0 (cnode);

Re: Enable Trusted Mode - HP-UX

Karthik S S — Mon, 03 May 2004 07:17:38 GMT

Any inputs to my above question??

Thanks,
Karthik S S

Re: Enable Trusted Mode - HP-UX

Sundar_7 — Mon, 03 May 2004 13:45:01 GMT

Hi Karthik,

I dont beleive auditing will help you to keep track of changes made to the file by a particular user.

You can use version control softwares like RCS or SCCS. Look at man page of ci and co.

Sundar.

Re: Enable Trusted Mode - HP-UX

RAC_1 — Mon, 03 May 2004 13:49:17 GMT

You would require rcs like software for that.

The following command will show you modification time, access time and change time. Hope this helps.

ls -t --> modification time
ls -u --> access time
ls -c --> change time

Anil