HPE Community
Operating System - HP-UX
1832128 Members
3090 Online
110038 Solutions
New Discussion

Re: Trusted Systems

 
SOLVED
Go to solution
Troy E. Miles
Advisor

‎10-30-2003 12:47 AM

‎10-30-2003 12:47 AM

Trusted Systems

I'm running HP-UX 11.11 as a Trusted System and I am experiencing the following problem:

I set my default security policies through SAM for password minimum time (7 days) and password expiration warning (30 days), but when I run getprpw against accounts they report -1 for both settings. When I use modprpw I can change the values.

Am I missing something?
0 Kudos
Reply
9 REPLIES 9
Brian Bergstrand
Honored Contributor

‎10-30-2003 12:50 AM

‎10-30-2003 12:50 AM

Re: Trusted Systems

The system defaults are stored in a separate system file, not in each users file. The -1 represents the default, which is referenced from the system file. You can use modprpw to override the default for any specific user.

HTH.
0 Kudos
Reply
Brian Bergstrand
Honored Contributor

‎10-30-2003 12:54 AM

‎10-30-2003 12:54 AM

Re: Trusted Systems

The system file is:

/tcb/files/auth/system

Forgot to mention that.

You can use getprdef and modprdef to view/modify these settings (or SAM).
0 Kudos
Reply
Troy E. Miles
Advisor

‎10-30-2003 02:03 AM

‎10-30-2003 02:03 AM

Re: Trusted Systems

Brian,

I don't think they are syncing. I set defaults through SAM, but they are not propagating to users and user accounts are set to use defaults, but that's not happening.
0 Kudos
Reply
Umapathy S
Honored Contributor

‎10-30-2003 02:10 AM

‎10-30-2003 02:10 AM

Solution

Re: Trusted Systems

Troy,
Can you cut&paste the commands from /var/sam/log/samlog which sam has executed.

May be that can shed some light on this.

HTH,
Umapathy
Arise Awake and Stop NOT till the goal is Reached!
Reply
Brian Bergstrand
Honored Contributor

‎10-30-2003 02:19 AM

‎10-30-2003 02:19 AM

Re: Trusted Systems

The defaults don't "propogate", you will never see default values in a specific user's profile using the the *prpw commands. You will always see the default placeholder of -1. SAM does the same thing I belive. The only time you will see a value in a specific user's profile is if you override the defaults for that user. Even though you can't see them for each user, the system will enforce the defaults.

Maybe I'm not understanding your problem though.

HTH.
Reply
Troy E. Miles
Advisor

‎10-30-2003 02:23 AM

‎10-30-2003 02:23 AM

Re: Trusted Systems

Brian,

I understand you'll never see them in a user's profile, but when I run getprpw against a user's account it returns the -1 placeholder. Other than running modprpw on the individual accounts, how am I to affect a global change.
0 Kudos
Reply
Brian Bergstrand
Honored Contributor

‎10-30-2003 02:33 AM

‎10-30-2003 02:33 AM

Re: Trusted Systems

You set the global defaults with modprdef or with SAM -> Auditing and Security -> System Security Policies. These are the only ways to modify the globals, going through SAM -> Users or using modprpw only modifies a single user. (BTW, SAM uses modprdef to do the actual work).

I've attached the man pages for the *prpw and the *prdef commands too.

HTH.
0 Kudos
Reply
Troy E. Miles
Advisor

‎10-30-2003 02:39 AM

‎10-30-2003 02:39 AM

Re: Trusted Systems

Brian,

Thanks for the help. I didn't digest all of your response properly. The problem I have is my company runs a security check script that uses getprpw. Since, getprpw returns the placeholder (-1) and not the system default setting, the script returns an error saying password aging is not properly configured.

I'll have to pass this information on to them.

Thanks again.
0 Kudos
Reply
Brian Bergstrand
Honored Contributor

‎10-30-2003 02:52 AM

‎10-30-2003 02:52 AM

Re: Trusted Systems

I see. You'll have to modify the script to query the system defaults with getprdef, then if getprpw returns -1, replace the -1 with the default value. This will then show the correct value for any user who is using the default. If getprpw doesn't return -1, then the default has been overridden by the user specific value, and no replacement will be necessary.

The man pages I attached in the previous post will explain how to use getprdef.

HTH.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.