topic Re: trusted system in Operating System - HP-UX

trusted system

rajesh73 — Sat, 24 Oct 2009 07:07:59 GMT

HI

I have rp3440 server and i installed hp-ux 11.11
how to trust the system

any one help me very urgent

Re: trusted system

Hakki Aydin Ucar — Sat, 24 Oct 2009 07:36:15 GMT

Hi,
The preferred method of converting a system to Trusted Systems is by using SAM. The resulting files and directories that manage the Trusted Computing Base (TCB) are sensitive to inappropriate editing (don't mess it up) leading to a system which may lock out every user, including root. Such a situation would probably need the use of the Recovery Media, the Recovery Shell, and some clever backing out of the TCB configuration.

To enable Trusted Systems from within SAM, you would navigate from the Main Menu - Auditing and Security and then to any of the four sub-menus titled "Audited Events," "Audited System Calls," "Audited Users," or "System Security Policies."

http://docs.hp.com/en/B2355-90950/ch08s08.html

Re: trusted system

Raj D. — Sat, 24 Oct 2009 07:52:46 GMT

Rajesh,
Using command prompt to convert into trusted mode :
# cd /usr/lbin
# ./tsconvert

To verify trusted sytem:
# cd /usr/lbin ; ./getprpw username

More info: HP-UX Trusted System reference: http://docs.hp.com/en/B2355-90121/ch01s02.html

Hth,
Raj.

Re: trusted system

Sajith P V — Sat, 24 Oct 2009 08:45:09 GMT

use /etc/tsconvert -c to convert to trusted mode.
users with passwd more than eight characters will not be able to login after conversion unless they enter upto eight characters only.

Re: trusted system

Sajith P V — Sat, 24 Oct 2009 08:47:10 GMT

sorry..
run /usr/lbin/tsconvert - c instead of /etc/tsconvert -c

Re: trusted system

Bill Hassell — Sat, 24 Oct 2009 22:11:42 GMT

> run /usr/lbin/tsconvert -c

The reason that SAM is preferred is that this command will indeed convert to Trusted but expires *ALL* passwords. If you use this method, you must follow the conversion with:

/usr/lbin/modprpw -V

NOTE: That is a capital V not lowercase v.

Re: trusted system

rajesh73 — Mon, 26 Oct 2009 03:15:02 GMT

Hi Bill

If iam suppose convert to trustmode my root password is disabled?
What can I do?

Re: trusted system

Dennis Handly — Mon, 26 Oct 2009 03:31:28 GMT

>my root password is disabled?

Logon from the console.
Also, have multiple windows to the machine and use one to test while staying on root with another.

Re: trusted system

Johnson Punniyalingam — Mon, 26 Oct 2009 03:35:46 GMT

>>If iam suppose convert to trustmode my root password is disabled?
What can I do?<<<

Looks like you assume ? I am right ?

If yes, you need boot the Server single user mode

Interput ISL> hpux -is
> bo pri

# /usr/lbin/modprpw -k root (enable root account)

or

# cd /tcb/files/auth/r
# vi root

pwd "filed" erase

Re: trusted system

Raj D. — Mon, 26 Oct 2009 03:44:47 GMT

Rajesh,

>if root password is disabled?
What can I do?

keep few root session open :
And you can alaways enable the root password using #/usr/lbin/modprpw -k root

Re: trusted system

rajesh73 — Mon, 26 Oct 2009 05:52:26 GMT

HI All

Thank u 4 ur valuable suggestions

I opened multiple section before trusting the system

After trusted i have tried this command #/usr/lbin/modprpw -k root
and than changed the passwd now my server is trusted

Thanku
rajesh

Re: trusted system

Suraj K Sankari — Mon, 26 Oct 2009 06:14:07 GMT

Hi,
If your root or any user account goes disable use this command
#/usr/lbin/modprpw -l -k username

Always create a root equivalent account or implement sudo.

Suraj

Re: trusted system

rajesh73 — Mon, 26 Oct 2009 06:21:45 GMT

Ok, surely now iam enabling sudo to this server

thank you