HPE Community
Operating System - HP-UX
1831950 Members
2924 Online
110034 Solutions
New Discussion

Re: Converting a MCSG cluster to trusted system

 
SOLVED
Go to solution
patrick coutinho
Frequent Advisor

‎09-20-2005 05:48 AM

‎09-20-2005 05:48 AM

Converting a MCSG cluster to trusted system

Hi,

We have an MCSG cluster consisting of 2 independent nodes running HP-UX 11.11 The version of MCSG that runs is.

A recent Vulnerability Assessment by an external party has been performed and we have been asked as part ot the server lockdown to convert the 2 servers which form a part of the MCSG cluster to trusted systems.

I have heard of problems with mcsg cluster after such conversions. Therefore i need your advice. How do i go about this.

We have also been asked to set up an audit trail on the server. Going thru sam this is only possible once we convert to trusted server. Also password policy settings are more advanced in trusted server.

So u see the conversion to trusted server is a core issue.

Is there any specific process that i could follow. These servers are highly critical servers containing valuable data.

Please help.

thanks in advance

Patrick
0 Kudos
Reply
6 REPLIES 6
Steven E. Protter
Exalted Contributor

‎09-20-2005 06:03 AM

‎09-20-2005 06:03 AM

Re: Converting a MCSG cluster to trusted system

You need a test plan.

Some user accounts will get locked as a result of this transfer.

Reconfigure the audit logs to NOT be stored in the / root filesystem.

It should be possible to do drop the nodes out of the cluster, upgrade and test them and then have them rejoin after.

I've run MC/SG successfully on trusted systems.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
patrick coutinho
Frequent Advisor

‎09-20-2005 06:13 AM

‎09-20-2005 06:13 AM

Re: Converting a MCSG cluster to trusted system

Hi Steven,

thanks for your info. Do you have any process document that i could follow to do this conversion.

Can u elaborate on the audit log bit, please.

Many thanks

Patrick
0 Kudos
Reply
Hakan Aribas
Valued Contributor

‎09-20-2005 06:15 AM

‎09-20-2005 06:15 AM

Re: Converting a MCSG cluster to trusted system

We are using Oracle 10g RAC on two Itanium rx8620 in trusted mode without any problem.
0 Kudos
Reply
patrick coutinho
Frequent Advisor

‎09-20-2005 06:27 AM

‎09-20-2005 06:27 AM

Re: Converting a MCSG cluster to trusted system

Thanks a lot Hakan. Is that all i need to do .

1) take the node out of the cluster
2) convert the node to trusted
3) bring node back into cluster

Please confirm. Is there anything else i need to do for the cluster bit.

Thanks

Patrick
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎09-20-2005 06:57 AM

‎09-20-2005 06:57 AM

Solution

Re: Converting a MCSG cluster to trusted system

I have made this transition a number of times and never even bothered to halt the packages. This should be independent of MC/SG. It is more difficult to make the transition in the other direction because you might have plaintext passwords longer than 8 significant characters. Going from non-trusted to trusted presents no such difficulties BUT always be logged in as root in at least two sessions so that you can get yourself out of trouble as fast as you got yourself in. If you are running password aging now (untrusted) then that data will be preserved. I would have some prebuilt scripts that gather your users that are not locked now (untrusted) (locked in untrusted system, by convention, means that the passwd hash is '*' (actually any other non-null, non 13-character string will lock the account) and then run getprpw on each user. If the lockout field has a '1', the script should run modprpw -k user to unlock the account.

If you have backup copies of /etc/passwd and /etc/group, it's very easy to get yourself out of any mess by simply untrusting via tsconvert and restoring the original files.
If it ain't broke, I can fix that.
Reply
patrick coutinho
Frequent Advisor

‎09-20-2005 07:03 AM

‎09-20-2005 07:03 AM

Re: Converting a MCSG cluster to trusted system

thanks everyone. points allocated

regards

patrick
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.