topic tsconvert in Operating System - HP-UX

tsconvert

Duncan Beattie — Wed, 03 Jul 2002 07:14:57 GMT

Hi

I am in the process of hardening my HP servers, using amongst other things, tsconvert.

The extent of my knowledge on this is
tsconvert -c to convert to a trusted system
tsconvert -r to backout, or return to a normal system.

Can anyone help me with documentation on this command (I can't find any)?

Does the backout undo everything that the -c switch puts in place?

Does anyone know of any issues with running HP Openview Network Node Manager on a trusted system?

Thanks in advance!

Duncan

Re: tsconvert

Stefan Farrelly — Wed, 03 Jul 2002 07:31:04 GMT

The procedure for reverting back from a trusted system is a little more involved;

1. "tsconvert -r" to convert it to normal password file, although it may miss some information (hence you need steps 2&3 below)
2. use a backup copy of /etc/passwd to overwrite the password file (from before you converted it to trusted)
3. run "tsconvert" again

There is no manpage for it.

Ive seen lots of systems running HP OV and trusted without any problems.

Re: tsconvert

Steve Steel — Wed, 03 Jul 2002 07:32:40 GMT

Hi

www.docs.hp.com

select search this site from the blue

use

trusted system

Lots of documentation

Also try on tsconvert as search pattern

steve Steel

Re: tsconvert

Duncan Edmonstone — Wed, 03 Jul 2002 07:33:39 GMT

Duncan,

'Officially' you shouldn't use tsconvert - it isn't a supported user command (hence no man page). 'Officially' you should be converting to trusted system via sam. This link will give some insight into why this is the case (look at Bill Hassells posts)

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xe505a22d6d27d5118fef0090279cd0f9,00.html

That said, the backout *should* undo everything that the convert did, but you should watch for changes that result from policies when trusted which are not backed out when it is untrusted (e.g. password length causing passwords to be truncated)

I'm no NNM expert, but I have installed and run NNM on a trusted system with no problems.

HTH

Duncan

Re: tsconvert

Michael Tully — Wed, 03 Jul 2002 07:38:03 GMT

Hi,

There is no man page for the command. Backing out removes everything, but leaves the /tcb directory tree. There are no issues that I know where there are problems with trusted system and NNM co-existing. Please remember that if you trust a system, all passwords are reset and expire immediately.

Michael

Re: tsconvert

Duncan Beattie — Wed, 03 Jul 2002 08:10:54 GMT

Stefan, Steve, Duncan, Michael

Thanks a lot for your pointers. Your help is much appreciated.

Duncan

Re: tsconvert

Keith Buck — Thu, 11 Jul 2002 16:48:30 GMT

Try using HP-UX Bastille. A beta version is available from http://www.bastille-linux.org.

Using tsconvert directly can be dangerous because it doesn't do all the checks that SAM does. (for example, check for NIS incompatibility). Bastille does checks similar to SAM to help prevent you from getting into an inconsistent state.

Also, Bastille is a general hardening tool and will do a lot more than just tsconvert (all optional, of course)

Re: tsconvert

Steven Sim Kok Leong — Fri, 12 Jul 2002 07:07:41 GMT

Hi,

As part of the hardening process, you might be interested in the CIS Security Benchmarks for securing your server.

The CIS benchmark for HP-UX can be found at:

http://www.cisecurity.org/bench_HPUX.html

The benchmark is intended for HP-UX 10.20, 11.00 and 11.11 (11i).

After hardening your server, it is good practice to run a vulnerability scanner and perform a scan on your server.

Nessus is one great opensource scanner you can use to audit your system across the network with the latest vulnerability checks.

http://www.nessus.org

Because of its opensource and the huge pool of volunteers writing vulnerability checks for it (the scripting language to write vulnerability check is pretty easy to use), vulnerability checks always come available extremely quickly once a vulnerability is known, unlke many other similar software.

Hope this helps. Regards.

Steven Sim Kok Leong

Re: tsconvert

Donald Kok — Mon, 15 Jul 2002 10:01:57 GMT

The manual is at http://docs.hp.com/hpux/onlinedocs/B2355-90121/B2355-90121.html

In it you will find the idea that it is better to go to 'trusted' through sam.
Good luck
Donald