HPE Community
Operating System - HP-UX
1834601 Members
3856 Online
110069 Solutions
New Discussion

10.2 thru 11 Trusted system

 
SOLVED
Go to solution
Waltina L. DiPaolo
Occasional Contributor

‎10-17-2002 01:56 PM

‎10-17-2002 01:56 PM

10.2 thru 11 Trusted system

is there one easy command that you can type in that will inform the user if the system is in trusted mode or not?

TD
Can't have your cake and eat it too
0 Kudos
Reply
11 REPLIES 11
Jeff Schussele
Honored Contributor

‎10-17-2002 02:38 PM

‎10-17-2002 02:38 PM

Re: 10.2 thru 11 Trusted system

Hi TD,

I can't think of an easy one that a normal user can run outside of a script to check for the existence of the /tcb/files/auth/r dir or such

Like create a script called trustedy_n containing

if [ -d /tcb/files/auth/r ]
then echo "System IS Trusted"
else echo "System is NOT Trusted"
fi

Then user could run that script & if the /tcb/files/auth/r dir exists (And it will ALWAYS exist on all trusted systems to hold the entry for root) it will echo appropriately.

But I'm not sure if after unconverting the dir still remains....

Else if root users are to run a command - then I'd run
getprpw root
to display root's trusted DB entry settings.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Michael Tully
Honored Contributor

‎10-17-2002 02:39 PM

‎10-17-2002 02:39 PM

Solution

Re: 10.2 thru 11 Trusted system

It is fairly simple.

on a trusted system you will get the usage:
# /usr/lbin/modprdef
Usage: modprdef -m opt=value[,opt=value]

On non-trusted system:
# /usr/lbin/modprdef
System is not trusted

The coding of command checks to see if the system is trusted first before it does anything. There are a few commands in /usr/lbin that will do this.

Anyone for a Mutiny ?
Reply
S.K. Chan
Honored Contributor

‎10-17-2002 02:45 PM

‎10-17-2002 02:45 PM

Re: 10.2 thru 11 Trusted system

Run the command ..
# /usr/lbin/modprdef
and it'll tell you but I think only superuser can run it.
Another way is to check the existence of file /tcb/files/auth/system/default. If it exists than the system is trusted. See ..
# man iscomsec
for details.
Reply
Jeff Schussele
Honored Contributor

‎10-17-2002 02:54 PM

‎10-17-2002 02:54 PM

Re: 10.2 thru 11 Trusted system

S.K. - yep none of the trusted commands are available to "normal" users in /usr/lbin - regardless of perms setting. Believe they're hard-coded that way.

I like the test for default file - but again I wonder if it remains if the system is converted BACK to non-trusted?

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Michael Tully
Honored Contributor

‎10-17-2002 03:02 PM

‎10-17-2002 03:02 PM

Re: 10.2 thru 11 Trusted system

Yes it does check. If you do a 'strings modprdef' it will report 'Not Superuser'

Where is the 'iscomsec' program ? I have the man page but no command....?
Anyone for a Mutiny ?
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎10-17-2002 03:20 PM

‎10-17-2002 03:20 PM

Re: 10.2 thru 11 Trusted system

Michael,

Believe it's a function in the /usr/include/prot.h file.

Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
S.K. Chan
Honored Contributor

‎10-17-2002 03:22 PM

‎10-17-2002 03:22 PM

Re: 10.2 thru 11 Trusted system

It's a system call, not a regular executable. If all iscomsec() is doing is checking for existence of the "default" file to detemine if the system is trusted or not (from the man page), I don;t see why we can't just say "ls /tcb/files/auth/system/default" and if it's there, it's trusted.
0 Kudos
Reply
Waltina L. DiPaolo
Occasional Contributor

‎10-18-2002 06:14 AM

‎10-18-2002 06:14 AM

Re: 10.2 thru 11 Trusted system

I have several systems in trusted mode. Don't really want to revert back to test to see of the modprdef still works. Is there a doc you can refer me to, other than the man pages, that will give me a bit more info?

TD
Can't have your cake and eat it too
0 Kudos
Reply
Waltina L. DiPaolo
Occasional Contributor

‎10-18-2002 09:05 AM

‎10-18-2002 09:05 AM

Re: 10.2 thru 11 Trusted system

Thanks. I've already read over them. They're not detailed enough. But thanks.

TD
Can't have your cake and eat it too
0 Kudos
Reply
doug hosking
Esteemed Contributor

‎10-20-2002 02:31 AM

‎10-20-2002 02:31 AM

Re: 10.2 thru 11 Trusted system

There is no iscomsec program, but it would be trivial to write one that calls iscomsec and returns an exit status based on the result.
From the iscomsec manual page:

Notes
iscomsec determines if the system is a trusted system or not by
checking the file, /tcb/files/auth/system/default. If the file
exists, then the system is a trusted system. If the file does not
exist, then the system is not a trusted system.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.