Enable Trusted Mode - HP-UX

Karthik S S · ‎04-30-2004

Hi,

I need help in setting up one of the hp-ux box as trusted system. This is really very urgent and not in a position to do a RTFM :-(.

I want to,
1. Enable file level auditing (need step by step details)
2. Should be able to monitor usage of root previleged commands
3. Needs to understand if enabling trusted mode affects the existing configuration. What are all the things that needs to be taken in to consideration before enabling trusted mode.
4. Will the exisiting users be affected by this operation?

Any help will be greately appriciated.

Thanks in advance,
Karthik S S

For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn

RAC_1 · ‎04-30-2004

1. Turn on the audiing once system is converted to trusted mode. Audit events that relate to file deletion modification. man audisp.

audisp -e "eventname" -u "user_name"

For file related things you can monitor delete, modaccess events.

2. Monitoring usage of root previled commands. Do you plan to use sudo and give root access for few thinhgs to user? Then sudo will log everything in syslog.log.
Other than this .sh_history file of root.

3. No effects. Should affect only those applications which do not understand C2 level. IF thay want to access it, they should make appropriate sys calls to get password details.

4. All accounts will be expired when you convert to trusted mode. Aviod that.
/usr/lbin/modprpw -V

Hope this helps.

Anil

There is no substitute to HARDWORK

Darren Prior · ‎04-30-2004

Hi,

Phew - that's a fair bit of information that you need!

Before you trust the system you must check whether all your 3rd party software supports trusted system. There was a query here a day or so back where someone had an application that stopped working when the system was trusted. They were lucky, in that the software supplier already had a patch for their application, but there are a number of software applications that just won't work in a trusted environment.

The supported method to trust a system is via SAM. You can also configure auditing through SAM. You will need to consider how large to make the audit files, how you will archive them and exactly what you hope to achieve from auditing.

Depending on your OS, password ageing and length some users may have problems after you've trusted the system. Even though you say this is urgent, I'd urge you to read the notes on trusting your system and the auditing man pages.

regards,

Darren.

Calm down. It's only ones and zeros...

Karthik S S · ‎04-30-2004

Thank you Anil.

But how do I enable Trusted mode? Just by running tsconvert? Or are there any steps involved with that??

Will all the existing users be prompted to change their password?

-Karthik S S

For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn

Karthik S S · ‎04-30-2004

After turning on the trusted mode if we face any issues, can we revert back to original configuartion without any problems??

-Karthik S S

For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn

RAC_1 · ‎04-30-2004

You can convert to trusted mode from SAM or on command line.

command line- /etc/tsconvert -c

Yes all accounts will expire and will be prompted for new password. So immediatley after you do /etc/tsconvert -c, do
/usr/lbin/modprpw -V

Rather do
/etc/tsconver -c;/usr/lbin/modprpw -V

Anil

There is no substitute to HARDWORK

Karthik S S · ‎04-30-2004

What does "/usr/lbin/modprpw -V" do? Does it allow the users to keep their existing password??

-Karthik S S

For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn

Hazem Mahmoud_3 · ‎04-30-2004

1 & 2. Powerbroker would be your most practical and system-efficient solution. www.symark.com. Obviously that's not a quick solution, but do consider it.
3. /etc/tsconvert, and make sure to reset the root password before you leave that prompt.
4. The existing users were not affected on my system when I ran tsconvert. But it is possible they would get affected, as well as root. All you would care about is the root account, so just make sure you reset that password to whatever it was.

HTH

-Hazem

Tapas Jha · ‎04-30-2004

Hi,

Yes, you can revert back to untrusted mode.
Before going to trsuted mode please check the minimum patches needed. In anyway, i hope you know how to convert back .
This is the one: /usr/lbin/tsconvert -r

To Verify ehethere system is in normal mode or not check that the /etc/passwd file is returned to normal ( without '*' in 2nd column)
Check that the /tcb directory does not exist.

Rgds
Tapas

Tapas Jha

Hazem Mahmoud_3 · ‎04-30-2004

-V This option is specified WITHOUT a user name to
"validate/refresh" all user's passwords. It goes through the
protected password database and sets the successful change time
to the current time for all users. The result is that all user's

Hazem Mahmoud_3 · ‎04-30-2004

apparently there was more in the man page:)

password aging restarts at the current time.

May be combined with one of -l or -n options.

No points please!

-Hazem

RAC_1 · ‎04-30-2004

man modprpw
man modprdef
man getprpw
man getprdef

Anil

There is no substitute to HARDWORK

Darren Prior · ‎04-30-2004

Just a quick FYI: Please note that the only HP supported way to trust/untrust a system is to use SAM. Using tsconvert on its' own is not supported!

regards,

Darren.

Calm down. It's only ones and zeros...

Karthik S S · ‎04-30-2004

Thak you all .. I will get back to incase I have any trouble setting it up.

Thanks again

Karthik S S

For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn

Hemanth Gurunath Basrur · ‎04-30-2004

Hello Karthik,

Refer to this doc for more information.

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90121/B2355-90121_top.html&con=/hpux/onlinedocs/B2355-90121/00/00/8-con.html&toc=/hpux/onlinedocs/B2355-90121/00/00/8-toc.html&searchterms=trusted%7cmode%7cenable&queryid=20040430-120719

HTH.

Regards,
Hemanth

Sundar_7 · ‎04-30-2004

Hi Karthik,

You got answers for all of your questions above. /etc/tsconvert can be used to convert/uncovet the system. But as mentioned SAM is the supported way of doing it.

Trusted mode commands (getpr*, modpr*) are not documented in 11.0

If you have 11i then you can do a man on modprpw, getprpw and other modpr*, getpr* commands to better understand

Sundar

Learn What to do ,How to do and more importantly When to do ?

Karthik S S · ‎05-02-2004

Thank you all .. auditing is working fine. But not as I expected. I am able to monitor creation and deletion of objects. But how do I determine if a file is modified. For instance if userA edits a file by name testfile, I should be able to track what are all the changes made by him to that file.

Pl. help

These are the list of audited events I enabled from SAM. DO I need to enable any other event in order to track the changes made to a file??
â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â â
admin Yes Yes acct, adjtime, audctl, audswitch, clock_
close No No close, ksem_close, mq_close, munmap
create Yes Yes creat, mkdir, mknod, msgget, pipe, pset_
delete Yes Yes ksem_unlink, mq_unlink, msgctl, pset_des
ipcclose No No fdetach, shutdown
ipccreat No No bind, socket, socket2, socketpair, socke
ipcdgram No No
ipcopen No No accept, connect, fattach
login Yes Yes
modaccess Yes Yes chdir, chroot, fchdir, link, lockf, lock
moddac Yes Yes acl, chmod, chown, fchmod, fchown, fseta â
open No No execv, execve, ftruncate, ftruncate64, k â
process No No exit, fork, kill, mlock, mlockall, munlo â
readdac No No access, fstat, fstat64, getaccess, lstat â
removable No No exportfs, mount, umount, vfsmount â
uevent1 No No
uevent2 No No
uevent3 No No
--------------------------------

Also audisp doesn't display the full path of the file that is touched by the user. For instance if the user "sysadm" create a file by name testfile under "/home/sysadm", audisp displays only "testfile" but not the full path ..

audisp -u sysadm /.secure/etc/audfile1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~
040503 04:47:59 3982 S 8 3741 11 9000 20 9000
20 pts/td
[ Event=creat; User=sysadm; Real Grp=users; Eff.Grp=users; ]

RETURN_VALUE 1 = 5;
PARAM #1 (file path) = 0 (cnode);

For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn

Karthik S S · ‎05-03-2004

Any inputs to my above question??

Thanks,
Karthik S S

For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn

Sundar_7 · ‎05-03-2004

Hi Karthik,

I dont beleive auditing will help you to keep track of changes made to the file by a particular user.

You can use version control softwares like RCS or SCCS. Look at man page of ci and co.

Sundar.

Learn What to do ,How to do and more importantly When to do ?

RAC_1 · ‎05-03-2004

You would require rcs like software for that.

The following command will show you modification time, access time and change time. Hope this helps.

ls -t --> modification time
ls -u --> access time
ls -c --> change time

Anil

There is no substitute to HARDWORK

Bill Hassell · ‎05-03-2004

NOTE: if you enable auditing, especially for all files, you'll have to relocate the auditing files which by default are in the / (root) directory. They will grow enormously fast in a typical system. Note that you'll see every file access, from email to logs to profiles, etc. You may wish to limit the logging level since you'll have to spend a lot of time going through all the data every day.

Bill Hassell, sysadmin

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Enable Trusted Mode - HP-UX

Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX

Re: Enable Trusted Mode - HP-UX