topic Re: HP-UX11i trusted system in Operating System - HP-UX

HP-UX11i trusted system

mehul_3 — Fri, 21 Nov 2008 12:12:42 GMT

Is there any log files generated that gives me clear indication that HP_UX is converted in to trusted system.
Awaiting for prompt response.

Regards,
Mehul

Re: HP-UX11i trusted system

Pete Randall — Fri, 21 Nov 2008 12:17:07 GMT

I always recommend using SAM to convert to trusted mode because SAM handles the expiring of passwords so you don't end up with a system you can't log into. Given that, I would suggest looking at /var/sam/log/samlog. Also the mere presence of the /tcb directory structure is a pretty good indicator of a successful conversion.

Pete

Re: HP-UX11i trusted system

Suraj K Sankari — Fri, 21 Nov 2008 12:22:08 GMT

Hi,

I donâ t know log file is there or not but if you cat /etc/passwd
passwd field will showing * for all user as well as you can see /tcb/auth/files/a-z directory also

Suraj

Re: HP-UX11i trusted system

James R. Ferguson — Fri, 21 Nov 2008 12:36:24 GMT

Hi:

The presence of the file '/tcb/files/auth/system/default' indicates a trusted system.

Regards!

...JRF...

Re: HP-UX11i trusted system

mehul_3 — Fri, 21 Nov 2008 12:42:21 GMT

would like to know from which criteria I can show auditor that system is converted into trusted one. Is any audit file generated.

Regards,
Mehul

Re: HP-UX11i trusted system

Jaime Bolanos Rojas. — Fri, 21 Nov 2008 12:44:29 GMT

mehul,

Also if you go to SAM, then auditing users and groups, and you received a message stating that to audit users your system needs to be trusted, then the system is not trusted yet.

As you can see there are different ways to check if the system is trusted or not.

Regards,

Jaime.

Re: HP-UX11i trusted system

VK2COT — Fri, 21 Nov 2008 20:27:28 GMT

Hello,

Some additional methods for checking TCB:

/usr/lbin/getprdef -r

authck -p

As always, there is more than one way to
make things work :)

Cheers,

VK2COT

Re: HP-UX11i trusted system

Johnson Punniyalingam — Sat, 22 Nov 2008 14:38:32 GMT

Hi Mehul,

If you want to check from the command line that Enhanced Security is enabled on your system do "rcmgr get SECURITY". For Enhanced Security the response will be 'ENHANCED'.

Checking for prpasswdd is not definitive as not all versions have a prpasswdd and it does not have to be running for Enhanced Security to work.

All that checking for the existance of the Enhanced Security files (i.e. /etc/auth/system/default) will tell you is if the Enhanced Security subsets have been installed on your system and/or you had Enhanced Security enabled on your system at one time.

Thanks,
Johnson

Re: HP-UX11i trusted system

Bill Hassell — Sat, 22 Nov 2008 17:01:59 GMT

Since your auditors are probably not familair with HP-UX Trusted Systems, just use SAM to demonstrate that enhanced security features are present. Go to the Auditing and Security selection (auditors will like that) then System Security Policies and finally Password Aging Policies:

Time Between Password Changes (days): 0
Password Expiration Time (days): 182
Password Expiration Warning Time (days): 7
Password Life Time (days): 196

(your numbers may be different). These 4 choices will not appear in a standard security system. Once the system is Trusted, these new options will appear. There is no log that shows when this change (from standard to Trusted) was made.

Re: HP-UX11i trusted system

Bill Hassell — Sat, 22 Nov 2008 17:05:07 GMT

Let me qualify "no logs". If you used SAM to convert your system, and your SAM logs have not been truncated or overwritten, then you can search through samlog to locate the date. If you used tsconvert instead, then there will be no log and dates for the requisite files and directories are updated every time a new user is added or a policy is changed.