Re: Centralized account administration that allows auditing?

Paul Maglinger · ‎01-11-2010

We have 9 HP-UX 11.23 systems that we're using NIS for authentication. Unfortunately, that doesn't allow the systems to be trusted and therefore I cannot enable auditing. I have searched through the discussions here and the ones that I found relevant were 2-3 years old. To summarize: Don't use NIS+ because it is being phased out and don't use LDAP because it is difficult to implement and maintain. The only viable option is to schedule copies of the passwd and group files across all the servers. Is this still the "best" solution? The end result I want is centralized account administration that will allow me to enable auditing. Thoughts, please?

Steven E. Protter · ‎01-11-2010

Shalom,

You have eliminated two of the three possible solutions.

NIS+ is being phased out.

NIS is not being phased out, but leaves a lot to be desired on the security standpoint.

LDAP should be easier than it is.

So assuming you eliminate the top three answers, copying around the /etc/passwd and /etc/group files is your best option. I would not call it best. I would describe it as settling.

As far as audit goes you could go with HP-UX Trusted system and run that audit system on each server. This will take some time to get working as the audit data is pretty big and quickly tries to fill up the root file system.

You could use a system like e-trust to maintain better auditing. This system can actually be configured to replicate passwords up to the root seos(e-trust) server.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Paul Maglinger · ‎01-11-2010

Thank you for the quick response, Steve.

That's what I was afraid of. So homing in on those two options...
If I have password expiration enabled on security and I copy the files to each server, will that reset the password expiration date on all the servers it's copied to as well? And is there something already in place that would find the newest files and replicate those across to the others?
And, what is this "e-trust" you mentioned? Is this some type of 3rd party authentication solution? A quick Google brought up anti-virus, privacy policy management and food.

Rita C Workman · ‎01-11-2010

hmmmm....

I don't copy my passwd file around to other boxes, because there area absolutely some folks I don't want to have a login to certain boxes.

And for security/auditing, I hate the "it's all or nothing option with Trusted turned on". So think I looked around to get out of the box.

For me, I like to audit who I want to audit without them knowing when I'm in the mood to monitor, and just them. So, I went with Symark Powerbroker software, now called Beyondtrust.com. But there are other vendors out there who do similar.
With this I can turn it on or off who I want, as many as I want, when I want - and the developer(s) never knows. I like that. It gives me logs that is full copy of every keystroke and every output of everything they do. I like that. And it has plenty of other options and utilities I can use, like distributing root or specific tasks, but frankly the ability to do adhoc auditing is why I got it.

Take a look around and you may find some third party software that gives you what you want at a reasonable price.

Think out of the box...
Rgrds,
Rita

Paul Maglinger · ‎01-11-2010

Thanks Rita. I have several servers that I don't have users log into and control that by only allowing login if the account has a home directory. That seems to work well keeping people out of servers they don't belong in. I'll look at your suggestion, but the folks here only want to buy a solution as a last resort. "We need to make the most of the tools we have". So if there is something I can do natively, that's the directory we'll go.

Olivier Masse · ‎01-11-2010

I might be mistaken but I don't think you need to be trusted on 11.23 to enable auditing. You can install the "standard mode security extensions" and you'll get many of the trusted mode features without needing to go trusted.

That being said, I'm currently copying password files using an ugly patched script but with 75+ servers that need different account sets this is becoming hard to manage and risky. This will sound odd but I think the easiest and most documented way to centrally manage accounts is actually using a Windows DC if you have one. There is a great cookbook from Eric Roseme on this subject on docs.hp.com. I read on LDAP, Kerberos, etc more than a few times and never really understood anything.

Olivier

mvpel · ‎01-12-2010

NIS+ isn't as bad as all that once you get the hang of it, and it's been "being phased out" for the last fifteen years or so. If it solves the problem without a big set of kludges and extra expense, then why not use it?

Just make sure that the trusted.org_dir table is correctly constructed with the UID number in the auth_user field, and the NIS+ server will keep everything organized for you and generate the /tcb/files/auth entries automatically when the user logs in to a trusted system.

Also, make sure that you have all the patches installed - older versions of NIS+ lead to mysterious and vexing problems, such as replica synchronization failures, which probably contributed to its bad reputation.

There's also the HP-UX Standard Mode Security Extensions bundle which allows auditing in non-trusted mode: http://docs.hp.com/en/5991-1101/ch08s03.html ...which may be a simpler approach than charging up the NIS+ learning curve.

mvpel · ‎01-12-2010

Oliver beat me to it - can't see the entire thread when composing a reply, oh well.

You should also look into CFengine - that's a handy tool which allows not only passwd/group file synchronization but a variety of other system maintenance and configuration operations.

Dennis Handly · ‎01-12-2010

>mvpel: can't see the entire thread when composing a reply

That's why you have multiple tabs. Of course you would need to reload before you submit. :-)

Paul Maglinger · ‎07-07-2010

Ended up using the Security Extensions and that seems to be working out well for me. Thanks everyone!

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Centralized account administration that allows auditing?

Centralized account administration that allows auditing?