HPE Community
Operating System - HP-UX
1821876 Members
3013 Online
109638 Solutions
New Discussion юеВ

Re: Need Some Advices

 
morganelan
Trusted Contributor

тАО09-21-2005 08:02 PM

тАО09-21-2005 08:02 PM

Need Some Advices

Hi Unix Gurus,
I want input from all unix Gurus that have ever done conversion from untrusted system to trusted system,what issues that have been faced with this changing?I appreciate any inputs.Thanks in advance.
Kamal Mirdad
0 Kudos
21 REPLIES 21
Joseph Loo
Honored Contributor

тАО09-21-2005 08:10 PM

тАО09-21-2005 08:10 PM

Re: Need Some Advices

hi,

if u search ITRC or KB, there r lots of info about what problem was encounter.

what is the UX version? do u run clustering, i.e. MCSG?


regards.
what you do not see does not mean you should not believe
0 Kudos
Muthukumar_5
Honored Contributor

тАО09-21-2005 08:11 PM

тАО09-21-2005 08:11 PM

Re: Need Some Advices

Which o/s you are trying to change to trusted system. You will get secured machine.

check this threads:

http://docs.hp.com/en/B2355-90121/index.html
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=638058

It will give related details.

You can convert your machine with sam or tsconvert command itself.

hth.
Easy to suggest when don't know about the problem!
0 Kudos
morganelan
Trusted Contributor

тАО09-21-2005 08:12 PM

тАО09-21-2005 08:12 PM

Re: Need Some Advices

HPUX version 11.11
Kamal Mirdad
0 Kudos
Gavin Clarke
Trusted Contributor

тАО09-21-2005 08:26 PM

тАО09-21-2005 08:26 PM

Re: Need Some Advices

I've converted to trusted systems several times. It has never been particularly troublesome and when I did have the 8 character password problem there was an answer on the forum.

According to posts on the forum MC ServiceGuard will not be affected (it wasn't for me). NIS will though, see this post:

http://forums1.itrc.hp.com/service/forums/parseCurl.do?CURL=%2Fcm%2FQuestionAnswer%2F1%2C%2C0xe505a22d6d27d5118fef0090279cd0f9%2C00.html&admit=-682735245+1127376641324+28353475

Cheers.
0 Kudos
RAC_1
Honored Contributor

тАО09-21-2005 08:27 PM

тАО09-21-2005 08:27 PM

Re: Need Some Advices

Few things to take care of

1. all passwords will expire. As soon as you convert , do modprpw -V, or better tsconvert ; modprpw -V

2. conversion only convets first 8 chars on password. So passwords longer than 8 chars do not work.
There is no substitute to HARDWORK
0 Kudos
Arunvijai_4
Honored Contributor

тАО09-21-2005 08:35 PM

тАО09-21-2005 08:35 PM

Re: Need Some Advices

Take a look at this doc, it is for 11.11
http://docs.hp.com/en/B2355-90121/ch01s04.html

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Zigor Buruaga
Esteemed Contributor

тАО09-21-2005 08:47 PM

тАО09-21-2005 08:47 PM

Re: Need Some Advices

Hi,

I've done several times, always using SAM, and never found a problem. To be safe, make a copy of your /etc/passwd file first. Also, if I remember correctly, if you have any user commented out on /etc/passwd, SAM
won't let you convert to trusted ( not sure if that's applicable actually ).
In SAM, it's quite easy to define the passwd aging policies, terminal policies, etc.
In this forums, you will find several scripts that will help you, once converted to trusted, to unlock user account and tell you why it was locked, to calculate in how many days a user passwd will expire ... all very useful.

Once converted to trusted, and to be more "auditable" ( I know you are not asking this though ), you can
play also with /etc/default/security file, here you can define the passwd history depth, define a group of users able to do "su" to root, etc. Only an idea ...

Regards,
Zigor

*Not a Unix Guru but trying to help
0 Kudos
morganelan
Trusted Contributor

тАО09-21-2005 08:49 PM

тАО09-21-2005 08:49 PM

Re: Need Some Advices

How about rcp script? Can rcp script running on trusted system without any changes?
Kamal Mirdad
0 Kudos
Zigor Buruaga
Esteemed Contributor

тАО09-21-2005 08:54 PM

тАО09-21-2005 08:54 PM

Re: Need Some Advices

Hi,

Yes, you should be able to use those scripts without changes.
Only be sure that the user on remote host is enabled.

Regards,
Zigor
0 Kudos
Arunvijai_4
Honored Contributor

тАО09-21-2005 08:56 PM

тАО09-21-2005 08:56 PM

Re: Need Some Advices

You mean, RC scripts ? Yes, They will without any changes.

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Zigor Buruaga
Esteemed Contributor

тАО09-21-2005 09:03 PM

тАО09-21-2005 09:03 PM

Re: Need Some Advices

Hi,

I thought you were referring to scripts using rcp ( remote copy ) between trusted systems.
If not, sorry if I misunderstood the question.

Regards,
Zigor
0 Kudos
morganelan
Trusted Contributor

тАО09-21-2005 09:13 PM

тАО09-21-2005 09:13 PM

Re: Need Some Advices

yes rcp remote copy script.
Kamal Mirdad
0 Kudos
morganelan
Trusted Contributor

тАО09-21-2005 09:19 PM

тАО09-21-2005 09:19 PM

Re: Need Some Advices

Trusted system used much space for its log files???
Kamal Mirdad
0 Kudos
Arunvijai_4
Honored Contributor

тАО09-21-2005 09:21 PM

тАО09-21-2005 09:21 PM

Re: Need Some Advices

Yes, it will generate lot of log files.
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Zigor Buruaga
Esteemed Contributor

тАО09-21-2005 09:28 PM

тАО09-21-2005 09:28 PM

Re: Need Some Advices

Hi,

Not sure what are you referring by log files. Under the /tcb, where the trusted database resides, you will find a file per user ( under his corresponding directory - first char of the user name - ).
If you are going to enable the auditing, then you will need too much space than that, but a normal conversion to trusted does not really needs too much space ( if I remember correctly, mine needs around 20MB, without auditing ).

Regards,
Zigor
0 Kudos
Gavin Clarke
Trusted Contributor

тАО09-21-2005 09:29 PM

тАО09-21-2005 09:29 PM

Re: Need Some Advices

Perhaps you should take a look at logrotate, which you can search for on the forums.

Trusted systems do generate alot of log files if you have auditting switched on, you don't have to have it on all the time though.

I find the log files manageable enough.
0 Kudos
Muthukumar_5
Honored Contributor

тАО09-21-2005 09:37 PM

тАО09-21-2005 09:37 PM

Re: Need Some Advices

Trusted systems will not make a problem on r* commands execution.

/etc/passwd files second tab entry will be changed to *. You have to take a copy of /etc/passwd file before execution. Anyway all login's passwd will be expired.

If you don't want to enable system auditing then it will not be going to use more space for log files. Use history setting itself for that.

Sample try is here:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=666461

hth.
Easy to suggest when don't know about the problem!
0 Kudos
morganelan
Trusted Contributor

тАО09-21-2005 09:44 PM

тАО09-21-2005 09:44 PM

Re: Need Some Advices

Can we maintain trusted log file on mount point that not belong to vg00.For example audit log files we put on /dev/vg01/lvol1?
Kamal Mirdad
0 Kudos
Gavin Clarke
Trusted Contributor

тАО09-21-2005 10:17 PM

тАО09-21-2005 10:17 PM

Re: Need Some Advices

I think you can, try man audsys (the -c option) and man audit for more information.
0 Kudos
Hakan Aribas
Valued Contributor

тАО09-21-2005 10:54 PM

тАО09-21-2005 10:54 PM

Re: Need Some Advices

several time we have changed from trusted to normal and vice versa without any problem. The main differences between two modes is auditting and password lenght.
0 Kudos
morganelan
Trusted Contributor

тАО09-22-2005 02:41 PM

тАО09-22-2005 02:41 PM

Re: Need Some Advices

Thanks all
Kamal Mirdad
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.