HPE Community
Operating System - HP-UX
1832285 Members
2795 Online
110041 Solutions
New Discussion

Trusted System

 
SOLVED
Go to solution
Tim Stallman
Advisor

‎10-23-2002 10:24 AM

‎10-23-2002 10:24 AM

Trusted System

Hi,
I'm looking for a good article or explanation as to what makes a system "trusted" or "untrusted". If anyone can point me in the right direction that would be great.

Thx,
Tim
0 Kudos
Reply
12 REPLIES 12
Ken Hubnik_2
Honored Contributor

‎10-23-2002 10:23 AM

‎10-23-2002 10:23 AM

Re: Trusted System

Try doing a search on www.docs.hp.com. keyword trusted.
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎10-23-2002 10:28 AM

‎10-23-2002 10:28 AM

Re: Trusted System

A trusted system is one that essentially does not have the users encrypted passwords in the /etc/passwd file, which is readable by EVERYONE. Instead the encrypted passwords are located in a /tcb directory structure that is readable only by root.

You can convert to a system to or from trusted mode with the 'tsconvert' command.
0 Kudos
Reply
Helen French
Honored Contributor

‎10-23-2002 10:29 AM

‎10-23-2002 10:29 AM

Solution

Re: Trusted System

This document will be helpful:
http://www.docs.hp.com/hpux/onlinedocs/B2355-90121/B2355-90121.html
Life is a promise, fulfill it!
Reply
Ken Hubnik_2
Honored Contributor

‎10-23-2002 10:31 AM

‎10-23-2002 10:31 AM

Re: Trusted System

Here is a doc
0 Kudos
Reply
Tim Stallman
Advisor

‎10-23-2002 10:33 AM

‎10-23-2002 10:33 AM

Re: Trusted System

okay that makes good sense and that is what I was thinking was going on but how does that relate to NIS? I was trying to configure NIS in a test system and it came back and told me NIS can't be used because it is a trusted system. Is there some reason NIS cannot be used when a system is trusted?
0 Kudos
Reply
Ben Sachs_1
Advisor

‎10-23-2002 10:36 AM

‎10-23-2002 10:36 AM

Re: Trusted System

You can't use NIS in a trusted environment. Not secure. See this thread: http://bizforums.itrc.hp.com/cm/QuestionAnswer/1,,0x5d2dcbaac6dcd5118ff40090279cd0f9,00.html

-Ben
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎10-23-2002 10:40 AM

‎10-23-2002 10:40 AM

Re: Trusted System

The search should give you good info but in a nutshell, describing the difference between trusted vs untrusted hopefully gives you some overview. Some of them includes ..
a) Trusted system password management is more superior. For example it allows ..
=>You to define a grace and expiration period for password.
=>You to disable accounts with repeted login failures.
=>You to define systemwide password aging.

b) Trusted systems have additional login restrictions features such as ..
=>Account disabling.
=>Account locking.
=>Restricted access by time-of-day.
=>Can define a single-user mode boot password.

c) Trusted system allows system-auditing to be enabled thus the ability to trace every system call.

d) Trusted system has shadowed passwords thus improved security.
0 Kudos
Reply
Tim Stallman
Advisor

‎10-23-2002 10:48 AM

‎10-23-2002 10:48 AM

Re: Trusted System

Thanks everyone that is exactly what I needed to know :-)
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎10-23-2002 12:44 PM

‎10-23-2002 12:44 PM

Re: Trusted System

Any advanatages to trusted systems few disadvantages. As HP continues to improve that subsystem and the various security subsytems such as IDS/9000, Kerobos(et al) there are few incompatabilities.

The fact that you are considering a trusted system probably means you have security concerns. A good idea, especially after what went on on the Internet Monday and 9/11

Consider these suggestions:
security_patch_check
It connects to HP's security patch database, analyzes your patch setup and recommends needed security patches.

Even better is Bastille, which can be found at software.hp.com

It runs a comprehensive security analysis, can configure security_patch_check for regular cron runs. It goes through the daemons running and gives you a chance to get rid of antiquated, dangerous protocols that almost nobody but hackers use. It can even let you run named as a regular user making denial of service and priviledge attacks on your DNS/Bind system much less likely to succeed.

Hope I helped.

Steve

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Bill Hassell
Honored Contributor

‎10-23-2002 06:10 PM

‎10-23-2002 06:10 PM

Re: Trusted System

It's important to know that NIS means insecure! NIS broadcasts the password info across the network whereas Trusted systems hide the password. While NIS+ does add encryption, every client must have NIS+ capability.

But the future is not NIS, it is probably LDAP.


Bill Hassell, sysadmin
0 Kudos
Reply
Tim Stallman
Advisor

‎10-24-2002 05:06 AM

‎10-24-2002 05:06 AM

Re: Trusted System

Thanks everyone. The systems I work on are already trusted systems and I was trying to add NIS to a test system (which is an image from the production system) in preperation for my HP Admin. Cert. Exam. Unfortunately HP still lists NIS as an exam objective thus I need to know how to configure it even though I will never use it here. Maybe LDAP will replace NIS as an exam objective????

Thx,
Tim
0 Kudos
Reply
doug hosking
Esteemed Contributor

‎10-24-2002 07:48 AM

‎10-24-2002 07:48 AM

Re: Trusted System

Tim, in addition to the security reasons that make NIS inconsistent with trusted systems, there are practical reasons, too. Standard UNIX password files have only a fixed number fo fields to store per-user attributes. Trusted systems configurations have many new attributes, like time stamps, lock fields, extra password lifetime and selection parameters, time of day restrictions, and more. While these are good/useful features, the problem that arises is that in an NIS environment, there is no place to store them, because the server-side system may not be running HP-UX, and other vendors usually don't know about these extra attributes.

Getting back to one of your core questions, if you want to make the system 'not trusted' so you can configure NIS on it, you can run the command '/usr/lbin/tsconvert -r' or use SAM to do the equivalent. This makes significant changes to the system (deletes the whole /tcb directory hierarchy, among other things) so you don't want to do this on a 'real' server without understanding the consequences. If it's truly a 'scratch' system without critical stuff on it, then doing this would make a lot more sense and should enable you to configure NIS. Good luck!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.