topic Re: Trusted System --? Procedure --? in Operating System - HP-UX

Trusted System --? Procedure --?

ln_unix — Tue, 27 Jul 2010 18:21:53 GMT

Hello All,

I need help of yours...

I want to know that what is a trusted system?

Also, the step by step procedute to make a system trusted system....

Please tell me the step by step procedure...

Thanks in advance...

Best Regards,
LN

Re: Trusted System --? Procedure --?

James R. Ferguson — Tue, 27 Jul 2010 18:54:47 GMT

Hi:

See Appendix-A of:

http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c01944073/c01944073.pdf

Trusted Systems are deprecated at 11.31 (the last release to support them).

Regards!

...JRF...

Re: Trusted System --? Procedure --?

Tim Nelson — Tue, 27 Jul 2010 18:55:41 GMT

http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c01920025/c01920025.pdf

Chapter 8

Re: Trusted System --? Procedure --?

Emil Velez — Wed, 28 Jul 2010 04:58:05 GMT

you should not need trusted systems for 11.23 and 11.31 since auditing and extended user management of logins and passwords can be done with SMSE security extensions and SMSE auditing.

Re: Trusted System --? Procedure --?

Basheer_2 — Wed, 28 Jul 2010 05:16:01 GMT

Trused system mas more fatures than the normal default security ofHP-UX.

for eg: you can have longer password lengths, many more password/account controls.

tsconvert to convert to trusted system
and
tsunconvert to back to normal system.

Re: Trusted System --? Procedure --?

Paul Ettema — Wed, 28 Jul 2010 08:09:27 GMT

Hi LN,

Pay attention for (oracle) listeners.
We had a problem with one of our applications.
File creation by (oracle) listener use umask 066 (in trusted mode)

if you want to change this ?
set umask just before starting command of (oracle) listener.

P.M.E.

Re: Trusted System --? Procedure --?

Emil Velez — Thu, 29 Jul 2010 03:09:32 GMT

all of the extended security features of trusted systems except for generating passwords is available with SMSE security at 11.23

Trusted system conversion is not really necessary to provide additional security at 11.23

Re: Trusted System --? Procedure --?

KathyL1 — Thu, 29 Jul 2010 04:32:14 GMT

[i]All of the extended security features of trusted systems except for generating passwords is available with SMSE security at 11.23

Trusted system conversion is not really necessary to provide additional security at 11.23[/i]

Re: Trusted System --? Procedure --?

KathyL1 — Thu, 29 Jul 2010 04:55:40 GMT

SMSE may offer many of the features provided by TCB but the shadow password system, even with SMSE installed, lacks some of the very significant security features of TCB - and, even with the latest release of 11.31, this is still the case.

Basically, shadow password does NOT enforce all of the attributes defined in /etc/default/security for the root user (for either the root user password or non-root user passwords changed by the root user).

While the HP-UX Security Management guide states repeatedly that the attributes configured in this file are system-wide the security(4) man page advises that some attributes only apply to non-root users (ie, ALLOW_NULL_PASSWORD, MIN_PASSWORD_LENGTH and PASSWORD_MIN_type_CHARS). All of these attributes are, however, enforced for the root user on a system using TCB.

With TCB being deprecated in 11.31 I first asked HP more than a year ago to provide the OPTION of enforcing all password policies for the root user as we have a legal requirement for these and cannot change to shadow password without them.

Initially HP declined this enhancement request (even though we could not ever legally use 11.4x without it) but I persisted with my request and, last month, I finally received advice that this OPTION will be provided in a future release of 11.31 - at this stage it is expected to be available sometime in 2011.

Kathy

PS: Sorry about my previous post - I meant to select the preview option to see if I could include text in italics but I accidentally clicked on submit instead. :(