HPE Community
Operating System - HP-UX
1844276 Members
2444 Online
110230 Solutions
New Discussion

Re: HPUX trusted mod , what supported?

 
SOLVED
Go to solution
Mike Nemeth
Advisor

‎07-19-2004 02:01 AM

‎07-19-2004 02:01 AM

HPUX trusted mod , what supported?

We setup trusted hp on a HPUX system and turned on all logging.
Our security people tested it and found that
it would not log a failed attemd to
modify (edit) the passwd file.
But neither I nor they verfiy that it was
even possible to do this.
I belive I remember that it's not.
I did a search found some docs but they
we're not clear to me.
I don't ready access to the machine so can't
even read the man page but I don't
remember seeing it there!
Can any one confirm this AND point me to the
Docs that show this . Nice if the Docs were
online!

0 Kudos
Reply
11 REPLIES 11
Patrick Wallek
Honored Contributor

‎07-19-2004 02:07 AM

‎07-19-2004 02:07 AM

Solution

Re: HPUX trusted mod , what supported?

Trusting the system does not log attempts to modify /etc/passwd. To do that you would probably have to do something with auditing.

There are plenty of docs online.

http://docs.hp.com has just about anything you could ever want.

Reply
Mike Nemeth
Advisor

‎07-19-2004 03:01 AM

‎07-19-2004 03:01 AM

Re: HPUX trusted mod , what supported?

Well thanks for the confirmation!
I've been thought docs.hp.com
(twice now) but couldn't find anthing on
what is audited on sucess and/or failure.

Now I found a chart in Jay Shah book on
h-ux system admin, that does show success/fallure, but that not official,
nor even completed clear!
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎07-19-2004 03:07 AM

‎07-19-2004 03:07 AM

Re: HPUX trusted mod , what supported?

/tcb/files/auth

Thats where the modifications and passwords are set.

root user would be in a folder called r

The scattering of these files makes it much harder for an unauthorized users to get the passwd file and run crack on it. This is one of the things that makes trusted system so much better.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
RAC_1
Honored Contributor

‎07-19-2004 03:15 AM

‎07-19-2004 03:15 AM

Re: HPUX trusted mod , what supported?

Have you looked at upwchg???

/usr/lbin/getprpw -m upwchg root

Will give time of last unsuccessful password change. Sameway it also gives the time os the last successful password change. (spwchg)

Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎07-19-2004 03:20 AM

‎07-19-2004 03:20 AM

Re: HPUX trusted mod , what supported?

Hi Mike,

Patrick's right on it.
To do this you need some sort of auditing.
Either the built-in utility that logs into /.secure or an add-on product like IDS9000 that treats systems as clients & logs to a server system.
But you have to have *something* that audits commands. Be advised that the built-in auditing util can chew up disk space at quite a rate in busy systems with lots of users.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Mike Nemeth
Advisor

‎07-19-2004 03:31 AM

‎07-19-2004 03:31 AM

Re: HPUX trusted mod , what supported?

Im talking about attempted FILE modifcation of
sensitive files like /etc/passwd with an
editor or something other than normal!

They WERE happy it failed but not that
an attemted was not logged! Looks like HP at
least on HPUX cannot do it!
Security nowadays is not happy just to
just know a file has been change (success)
but it's looking for possible attacks too!
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎07-19-2004 03:41 AM

‎07-19-2004 03:41 AM

Re: HPUX trusted mod , what supported?

Mike,

Read our posts again.
HP-UX can *absolutely* do it. BUT you have to enable the framework (Allocate sufficient space & define just *what* you want audited) AND turn it on. It's not enabled out of the box.

man the following for details
audit
audsys
audevent
audisp
audomon
audwrite
getevent
setevent

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Mike Nemeth
Advisor

‎07-19-2004 04:16 AM

‎07-19-2004 04:16 AM

Re: HPUX trusted mod , what supported?

OK there a mis-understanding!
Now this IS an old HP 10.20 system
Yes the system was trusted!
But also ALL auditing WAS turned on!
It did NOT show a FAILED attempt!
(yes its eating lots of disk space!)
I don't belive 10.20 CAN to this;
I think I remember 11. was suppose
to be able to do this some time this year
( I KNOW HIDS cann't log it; this was
summited for possible inclusion this year!)

I think 11+ (11i? and up ) can do it now!

0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎07-19-2004 04:59 AM

‎07-19-2004 04:59 AM

Re: HPUX trusted mod , what supported?

Well...you need to check the /etc/rc.config.d/auditing file - specifically the AUDEVENT_ARGS section. This is where the system is told just *what* to audit. You'll want to see just what the AUDEVENT_ARGSX (where X=1,2,3,etc) have listed for any "-s" (system calls).

The system does not log system "commands" per se, rather it logs system calls. So you need to know what sys calls are involved in what commands.

Being able to decipher audit logs is almost an art unless you are very familiar with HP-UX syscalls.

IF the AUDEVENT_ARGS section has -s execv and/or -s execve I would bet you that the attempt was indeed logged - just nobody there knew how to determine that.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Mike Nemeth
Advisor

‎07-19-2004 05:37 AM

‎07-19-2004 05:37 AM

Re: HPUX trusted mod , what supported?

OK Jeff,
Like I said I KNOW HIDS can display it!
It HAD to be logged (if it can be logged)
as we turn on everthing . Basicly
you (and me since I KNOW HIDS cann't
per hp). There no easy way to see this
type of possible attact.
Looking at audit 5 man (on my hp11 sysytem)
I STILL don't see any FAILED attempt
described ; Yes it logs opens , deleted
close etc but does it log FAILED attempts
to do these thing? I DON'T see it in the man
paged . I quess you might see some
one open/close /etc/passwd . But I cann't
find the documentation to support
that if logs failure.
Not much help. Unless I can point to
a doc that it should or should show
these , security not happy.

0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎07-19-2004 05:41 AM

‎07-19-2004 05:41 AM

Re: HPUX trusted mod , what supported?

Do you have -F in any of the AUDEVENT_ARGS fields in the /etc/rc.config.d/auditing file?

-F is for failed events.

Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.