HPE Community
Operating System - HP-UX
1834935 Members
2325 Online
110071 Solutions
New Discussion

Converting my machines to trusted mode

 
prasadb
Super Advisor

‎10-14-2008 04:05 AM

‎10-14-2008 04:05 AM

Converting my machines to trusted mode

Dear all,

i would highly appreciate your help if someone tells me about the advantages and procedure of converting my normal system into the trusted one ..

i have L-series servers

# model
9000/800/L2000-44
B.11.11

as well as few

ia64 hp server rx4640 (Itanium) B.11.23 servers..


i have seen in SAM..

i went in system security policies

and there ..

password format policies
password aging policies
General user account policies
Terminal security policies

i set some policies for my systems..

but beyond that point i am not sure...whether the system has become trusted just after this ?
& i am more concerned about the the implications that would be on the system, users and policies?

The system on which i have done this is a test system and there are no users other than root ..

help !
0 Kudos
Reply
15 REPLIES 15
prasadb
Super Advisor

‎10-14-2008 04:50 AM

‎10-14-2008 04:50 AM

Re: Converting my machines to trusted mode

Not a single reply yet ?
0 Kudos
Reply
Ganesan R
Honored Contributor

‎10-14-2008 05:27 AM

‎10-14-2008 05:27 AM

Re: Converting my machines to trusted mode

Hi,

It looks you have already converted the system to trusted. You can confirm this if /tcb directory exist on the system.

As you mentioned you can set account policies, password policies globally and user wise. Also you can enable the auditing.

There are many things you can control over accounts like,

Locking inactive accounts,
No of unsuccessful login tries allowed,

On passwords like,

Disabling null password,
Password aging,
Password lifetime,
Password expiration,
Password length,,

Need password upon single user mode and so many things...

You can unconvert the system anytime without any implication to the system.
If you specify on which you need help, we will try to explain
Best wishes,

Ganesh.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎10-14-2008 05:30 AM

‎10-14-2008 05:30 AM

Re: Converting my machines to trusted mode

Hi:

Since you are running 11.11, see the chapter on security here:

http://docs.hp.com/en/B2355-90950/index.html

That said, you should know that Trusted systems are deprecated and will eventually not exist as an option.

You can begin your transition now, with a shadow password implementation:

http://docs.hp.com/en/B2355-90950/index.html

As you move to 11.23, you can implement Role-Based Access Control :

http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=SecurityExt

http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=AccessControl

Sometime after 11.31, it will not be possible to have a "Trusted" system as has heretofore been defined.

Regards!

...JRF...
0 Kudos
Reply
prasadb
Super Advisor

‎10-14-2008 05:37 AM

‎10-14-2008 05:37 AM

Re: Converting my machines to trusted mode

Thans Ganeshan,

i checked but /tcb file was not created on the server, i guess you are asking to check it in my root's home directory..

Also, I read on hp.docs site

"You have set SECURE to ON in the ISL when first booting your workstation"

and also this one

"NOTE: You cannot convert your system to a trusted system without installing the security patches first. Even if you use SAM to convert your system, it will not be a C2-level trusted system without the patches. "


are these patches to be bought from HP ? OR they are available for free ?

kindly clear the air..

Thanx in advance ..


0 Kudos
Reply
Ganesan R
Honored Contributor

‎10-14-2008 05:56 AM

‎10-14-2008 05:56 AM

Re: Converting my machines to trusted mode

Hi,

Patches are available free from HP. You can download it from www.itrc.hp.com. Goto maintenance and support for hp products in the left side panel. There you can download all the available patches from HP.

It is mantatory to install the required patches before you convert the system to Trusted one.
Best wishes,

Ganesh.
0 Kudos
Reply
Yashwant
Valued Contributor

‎10-14-2008 06:31 AM

‎10-14-2008 06:31 AM

Re: Converting my machines to trusted mode

refer following link to convert into trusted mode .

http://docs.hp.com/en/B2355-90950/ch08s08.html
0 Kudos
Reply
prasadb
Super Advisor

‎10-14-2008 10:08 PM

‎10-14-2008 10:08 PM

Re: Converting my machines to trusted mode

Thank you all..

James, i have installed the RBAC depot as you had recommended, but i dont know where to see/check the changes that has taken place..

Like, when the system is converted to trusted mode, the changes that i came to know
1. /etc/passwd file
2. the passwords for the users on the machine expired (including that of root)

so, kindly let me know what changes have been brought in the system ?

i have checked /etc/passwd file, it is same as it was earlier..

regards,
prasad
0 Kudos
Reply
prasadb
Super Advisor

‎10-14-2008 10:09 PM

‎10-14-2008 10:09 PM

Re: Converting my machines to trusted mode

James,

I have assigned you 7 points just because i dont want to close this thread right now ..

0 Kudos
Reply
prasadb
Super Advisor

‎10-21-2008 10:34 PM

‎10-21-2008 10:34 PM

Re: Converting my machines to trusted mode

Hello all (again)

with continuation to the thread, i wish to have some feedback from the people who have done this (conversion to the trusted mode) and what's the impact on the users and applications ..

kindly help !

regards,
prasad
0 Kudos
Reply
Aneesh Mohan
Honored Contributor

‎10-21-2008 11:53 PM

‎10-21-2008 11:53 PM

Re: Converting my machines to trusted mode

Hi Prasad,

After converting you system to trusted mode .


1) The old password`s of the users might expired

You can refresh the old passwords by using /usr/lbin/modprpw -V

2) The cronjobs may fails

You may need to convert the cronjobs by using /etc/tsconvert -p

3)Mostly all of the applications support C2 level security but it is better to confirm with the application vendor for clear information about this

4)The performance of the system may slightly degraded after converting in to trusted.

5)If you were converted using tscovert command then please take care to edit /etc/rc.config.d/auditing to enable auto startup when booting the system,if you did using SAM this changes will make automatically

6)It is better to create a seperate filesystem for ./secure,otherwise your root filesystem may impact

7)Make sure you are updating the required security patches prior to the operation

8) You can revert the changes at any time .

Thanks,
Aneesh
0 Kudos
Reply
prasadb
Super Advisor

‎10-26-2008 09:41 PM

‎10-26-2008 09:41 PM

Re: Converting my machines to trusted mode

hello all Gurus,
with continuation with this thread, i have one question,
is there any difference between trusted mode and C2-Level Trusted System ? if yes, what is that ?

thanking you all,

WR
prasad
0 Kudos
Reply
prasadb
Super Advisor

‎10-26-2008 10:54 PM

‎10-26-2008 10:54 PM

Re: Converting my machines to trusted mode

yes, anyone ?
0 Kudos
Reply
Aneesh Mohan
Honored Contributor

‎10-27-2008 12:11 AM

‎10-27-2008 12:11 AM

Re: Converting my machines to trusted mode

Hi Prasad,

Now a days setting up a system as trusted is equivalent to C2

The different classes of security used:-

D1 > C1 > C2 > B1 > B2 > B3 > A1

D1 - Minimal
C1 - Discretionary
C2 - Conrolled Access
B1 - Labeled Security
B2 - Structed Protection
B3 - Security domains
A1 - Verified Design

Aneesh
0 Kudos
Reply
prasadb
Super Advisor

‎10-27-2008 12:42 AM

‎10-27-2008 12:42 AM

Re: Converting my machines to trusted mode

Thnak you Aneesh !

i would like to know further, what are the differences between these classes, and how to know what class of security i have applied to my machine ?
0 Kudos
Reply
Aneesh Mohan
Honored Contributor

‎10-27-2008 01:11 AM

‎10-27-2008 01:11 AM

Re: Converting my machines to trusted mode

Hi Prasad,

This doc may help you .

http://www.docs.hp.com/en/B2355-90950/B2355-90950.pdf

Aneesh
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.