HPE Community
Operating System - HP-UX
1835961 Members
1774 Online
110088 Solutions
New Discussion

Step to convert system to trusted system for HP-UX 11i

 
SOLVED
Go to solution
Mike_305
Super Advisor

‎05-17-2005 09:01 AM

‎05-17-2005 09:01 AM

Step to convert system to trusted system for HP-UX 11i

Hi,

Convert system to Trusted System is their anything I am missing beside these steps below?

Please advise and thanks to all GURUS in advance.

1. Backup password file

2. Create recovery tape

3. Download following patches recommend by HP.

PHCO_27049 s700_800 11.11 audit(5) man page patch
PHCO_27694 s700_800 11.11 login(1) cumulative patch
PHCO_27884 s700_800 11.11 /sbin/initcond cumulative patch
PHCO_28798 s700_800 11.11 init(1M) cumulative patch
PHCO_28830 s700_800 11.11 security(4) man page cumulative patch
PHCO_29125 s700_800 11.11 passwd(1) cumulative patch
PHCO_30903 s700_800 11.11 authck cumulative patch
PHCO-30913 s700_800 11.11 libsec cumulative patch
PHCO_31314 s700_800 11.11 cumulative SAM patch
PHCO_31903 s700_800 11.11 libc cumulative patch
PHCO_32182 s700_800 11.11 ugm cumulative patch
PHCO_32873 s700_800 11.11 libpam_unix cumulative patch
PHKL_27737 s700_800 11.11 Enable Posix IPC syscalls to be audited
PHKL_32012 s700_800 11.11 cumulative shared memory patch
PHKL_32126 s700_800 11.11 audit subsystem cumulative patch
PHNE_29887 s700_800 11.11 cumulative ARPA Transport patch

4. Convert system to trusted system

5. Unexpired the password globally using “modprpw –V” after converting.

Thanks once ag
If there is problem then don't think as problem, think as opportunity.
0 Kudos
12 REPLIES 12
Mike_305
Super Advisor

‎05-17-2005 09:05 AM

‎05-17-2005 09:05 AM

Re: Step to convert system to trusted system for HP-UX 11i

Mean to say "Thanks once again" at bottom of the message.
If there is problem then don't think as problem, think as opportunity.
0 Kudos
Patrick Wallek
Honored Contributor

‎05-17-2005 09:09 AM

‎05-17-2005 09:09 AM

Re: Step to convert system to trusted system for HP-UX 11i

I think you've pretty well covered it.
0 Kudos
Tim D Fulford
Honored Contributor

‎05-17-2005 09:23 AM

‎05-17-2005 09:23 AM

Re: Step to convert system to trusted system for HP-UX 11i

I'd also

o Turn off password ageing for root
o Password expiration for root
o password failure retries for root
The reason is that under no circumstances do you want to expire the root account... It is a real hassle to have to hack the system to re-enable it.... As an example, someone could simply try & fail to log into root 3 times. This will expire the root account & now the sysadmin is locked out... even if you trace the culprit the damage is done...

And do similar to any "power" accounts, say Informix or Oracle, but make sure users cannot log into these accounts directly.

Regards

Tim
-
0 Kudos
piyut_1
Frequent Advisor

‎05-17-2005 04:08 PM

‎05-17-2005 04:08 PM

Re: Step to convert system to trusted system for HP-UX 11i

Tim,

how to turn off password ageing for root, password expiration for root and password failure retires for root ?
I have trusted system server but sometimes user root is disabled by system because of password retries reached for user root.


many thanks,

piyut
0 Kudos
Nguyen Anh Tien
Honored Contributor

‎05-17-2005 05:34 PM

‎05-17-2005 05:34 PM

Re: Step to convert system to trusted system for HP-UX 11i

read this docs for detail
http://docs.hp.com/en/B2355-90121/
tienna
HP is simple
0 Kudos
Tim D Fulford
Honored Contributor

‎05-17-2005 11:13 PM

‎05-17-2005 11:13 PM

Re: Step to convert system to trusted system for HP-UX 11i

It is a long time since I did this... But I used SAM & navigated through from there...

Regards

Tim
-
0 Kudos
Mike_305
Super Advisor

‎05-18-2005 05:08 AM

‎05-18-2005 05:08 AM

Re: Step to convert system to trusted system for HP-UX 11i

Hi Guys,

When root is disable then can you login through console? I haven't used trusted system before but I am sure you should be able to login to system using console. HP systems are not Microsoft.

Thanks,

Mike
If there is problem then don't think as problem, think as opportunity.
0 Kudos
Kevin Wright
Honored Contributor

‎05-18-2005 06:57 AM

‎05-18-2005 06:57 AM

Re: Step to convert system to trusted system for HP-UX 11i

/usr/lbin/tsconvert.

Be careful with the 8 char max limit on the password..
0 Kudos
Dave Hutton
Honored Contributor

‎05-18-2005 07:06 AM

‎05-18-2005 07:06 AM

Re: Step to convert system to trusted system for HP-UX 11i

If the root account is locked. You can log in at the console.
0 Kudos
Mike_305
Super Advisor

‎05-18-2005 07:25 AM

‎05-18-2005 07:25 AM

Re: Step to convert system to trusted system for HP-UX 11i

Hi Piyut,

I found this thread and in this doc Bhavin Asokan suggested the following:

Go to sam->accounts for users and groups->users

select root

go to actions->modify users security policies-> general user account policies->

set account life time to none, unsuccessful login tries allowed to more than 100, max inactivity period disabled.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=798134

Thanks,

Mike
If there is problem then don't think as problem, think as opportunity.
0 Kudos
Robert Bennett_3
Respected Contributor

‎05-18-2005 08:28 AM

‎05-18-2005 08:28 AM

Solution

Re: Step to convert system to trusted system for HP-UX 11i

Mike -

This is how we deal with root:
Sam - Accounts for Users and Groups - Modify User's Security Policies - Password Aging Policies

check password aging to enabled
change all 4 values to 0 (zero)
this will disable password aging
OK

Now check the root tcb
view /tcb/files/auth/r/root
You want to check that the following 4 entries exist and are 0:
:u_exp#0:
:u_life#0:
:u_minchg#0:
:u_pw_expire_warning#0:

you can actually just vi the tcb file and it does what you did in SAM, but better to do it via SAM the first few times to get the hang of it.

We also touch /etc/default/security to eliminate messages in syslog that it doesn't exist - also chmod it to 644.

Hope this helps

"All there is to thinking is seeing something noticeable which makes you see something you weren't noticing which makes you see something that isn't even visible." - Norman Maclean
0 Kudos
Mike_305
Super Advisor

‎05-23-2005 07:17 AM

‎05-23-2005 07:17 AM

Re: Step to convert system to trusted system for HP-UX 11i

Thanks Guys.
If there is problem then don't think as problem, think as opportunity.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.