HPE Community
Operating System - HP-UX
1825725 Members
2855 Online
109687 Solutions
New Discussion

Re: HP-UX11i trusted system

 
mehul_3
Regular Advisor

‎11-21-2008 04:12 AM

‎11-21-2008 04:12 AM

HP-UX11i trusted system

Is there any log files generated that gives me clear indication that HP_UX is converted in to trusted system.
Awaiting for prompt response.

Regards,
Mehul
0 Kudos
Reply
9 REPLIES 9
Pete Randall
Outstanding Contributor

‎11-21-2008 04:17 AM

‎11-21-2008 04:17 AM

Re: HP-UX11i trusted system

I always recommend using SAM to convert to trusted mode because SAM handles the expiring of passwords so you don't end up with a system you can't log into. Given that, I would suggest looking at /var/sam/log/samlog. Also the mere presence of the /tcb directory structure is a pretty good indicator of a successful conversion.


Pete

Pete
0 Kudos
Reply
Suraj K Sankari
Honored Contributor

‎11-21-2008 04:22 AM

‎11-21-2008 04:22 AM

Re: HP-UX11i trusted system

Hi,

I donâ t know log file is there or not but if you cat /etc/passwd
passwd field will showing * for all user as well as you can see /tcb/auth/files/a-z directory also

Suraj
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎11-21-2008 04:36 AM

‎11-21-2008 04:36 AM

Re: HP-UX11i trusted system

Hi:

The presence of the file '/tcb/files/auth/system/default' indicates a trusted system.

Regards!

...JRF...
0 Kudos
Reply
mehul_3
Regular Advisor

‎11-21-2008 04:42 AM

‎11-21-2008 04:42 AM

Re: HP-UX11i trusted system

would like to know from which criteria I can show auditor that system is converted into trusted one. Is any audit file generated.



Regards,
Mehul
0 Kudos
Reply
Jaime Bolanos Rojas.
Honored Contributor

‎11-21-2008 04:44 AM

‎11-21-2008 04:44 AM

Re: HP-UX11i trusted system

mehul,

Also if you go to SAM, then auditing users and groups, and you received a message stating that to audit users your system needs to be trusted, then the system is not trusted yet.

As you can see there are different ways to check if the system is trusted or not.

Regards,

Jaime.
Work hard when the need comes out.
0 Kudos
Reply
VK2COT
Honored Contributor

‎11-21-2008 12:27 PM

‎11-21-2008 12:27 PM

Re: HP-UX11i trusted system

Hello,

Some additional methods for checking TCB:

/usr/lbin/getprdef -r

authck -p

As always, there is more than one way to
make things work :)

Cheers,

VK2COT
VK2COT - Dusan Baljevic
0 Kudos
Reply
Johnson Punniyalingam
Honored Contributor

‎11-22-2008 06:38 AM

‎11-22-2008 06:38 AM

Re: HP-UX11i trusted system

Hi Mehul,

If you want to check from the command line that Enhanced Security is enabled on your system do "rcmgr get SECURITY". For Enhanced Security the response will be 'ENHANCED'.

Checking for prpasswdd is not definitive as not all versions have a prpasswdd and it does not have to be running for Enhanced Security to work.

All that checking for the existance of the Enhanced Security files (i.e. /etc/auth/system/default) will tell you is if the Enhanced Security subsets have been installed on your system and/or you had Enhanced Security enabled on your system at one time.

Thanks,
Johnson
Problems are common to all, but attitude makes the difference
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎11-22-2008 09:01 AM

‎11-22-2008 09:01 AM

Re: HP-UX11i trusted system

Since your auditors are probably not familair with HP-UX Trusted Systems, just use SAM to demonstrate that enhanced security features are present. Go to the Auditing and Security selection (auditors will like that) then System Security Policies and finally Password Aging Policies:

Time Between Password Changes (days): 0
Password Expiration Time (days): 182
Password Expiration Warning Time (days): 7
Password Life Time (days): 196

(your numbers may be different). These 4 choices will not appear in a standard security system. Once the system is Trusted, these new options will appear. There is no log that shows when this change (from standard to Trusted) was made.


Bill Hassell, sysadmin
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎11-22-2008 09:05 AM

‎11-22-2008 09:05 AM

Re: HP-UX11i trusted system

Let me qualify "no logs". If you used SAM to convert your system, and your SAM logs have not been truncated or overwritten, then you can search through samlog to locate the date. If you used tsconvert instead, then there will be no log and dates for the requisite files and directories are updated every time a new user is added or a policy is changed.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.