HPE Community
Operating System - HP-UX
1825163 Members
4064 Online
109679 Solutions
New Discussion юеВ

tsconvert

 
SOLVED
Go to solution
Duncan Beattie
Occasional Advisor

тАО07-03-2002 12:14 AM

тАО07-03-2002 12:14 AM

tsconvert

Hi

I am in the process of hardening my HP servers, using amongst other things, tsconvert.

The extent of my knowledge on this is
tsconvert -c to convert to a trusted system
tsconvert -r to backout, or return to a normal system.

Can anyone help me with documentation on this command (I can't find any)?

Does the backout undo everything that the -c switch puts in place?

Does anyone know of any issues with running HP Openview Network Node Manager on a trusted system?

Thanks in advance!

Duncan
0 Kudos
Reply
8 REPLIES 8
Stefan Farrelly
Honored Contributor

тАО07-03-2002 12:31 AM

тАО07-03-2002 12:31 AM

Re: tsconvert


The procedure for reverting back from a trusted system is a little more involved;

1. "tsconvert -r" to convert it to normal password file, although it may miss some information (hence you need steps 2&3 below)
2. use a backup copy of /etc/passwd to overwrite the password file (from before you converted it to trusted)
3. run "tsconvert" again

There is no manpage for it.

Ive seen lots of systems running HP OV and trusted without any problems.


Im from Palmerston North, New Zealand, but somehow ended up in London...
Reply
Steve Steel
Honored Contributor

тАО07-03-2002 12:32 AM

тАО07-03-2002 12:32 AM

Re: tsconvert

Hi


www.docs.hp.com

select search this site from the blue

use

trusted system

Lots of documentation


Also try on tsconvert as search pattern


steve Steel
If you want truly to understand something, try to change it. (Kurt Lewin)
0 Kudos
Reply
Duncan Edmonstone
HPE Pro

тАО07-03-2002 12:33 AM

тАО07-03-2002 12:33 AM

Re: tsconvert

Duncan,

'Officially' you shouldn't use tsconvert - it isn't a supported user command (hence no man page). 'Officially' you should be converting to trusted system via sam. This link will give some insight into why this is the case (look at Bill Hassells posts)

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xe505a22d6d27d5118fef0090279cd0f9,00.html

That said, the backout *should* undo everything that the convert did, but you should watch for changes that result from policies when trusted which are not backed out when it is untrusted (e.g. password length causing passwords to be truncated)

I'm no NNM expert, but I have installed and run NNM on a trusted system with no problems.

HTH

Duncan

I am an HPE Employee
Accept or Kudo
Reply
Michael Tully
Honored Contributor

тАО07-03-2002 12:38 AM

тАО07-03-2002 12:38 AM

Re: tsconvert

Hi,

There is no man page for the command. Backing out removes everything, but leaves the /tcb directory tree. There are no issues that I know where there are problems with trusted system and NNM co-existing. Please remember that if you trust a system, all passwords are reset and expire immediately.

Michael
Anyone for a Mutiny ?
Reply
Duncan Beattie
Occasional Advisor

тАО07-03-2002 01:10 AM

тАО07-03-2002 01:10 AM

Re: tsconvert

Stefan, Steve, Duncan, Michael

Thanks a lot for your pointers. Your help is much appreciated.

Duncan
0 Kudos
Reply
Keith Buck
Respected Contributor

тАО07-11-2002 09:48 AM

тАО07-11-2002 09:48 AM

Re: tsconvert

Try using HP-UX Bastille. A beta version is available from http://www.bastille-linux.org.

Using tsconvert directly can be dangerous because it doesn't do all the checks that SAM does. (for example, check for NIS incompatibility). Bastille does checks similar to SAM to help prevent you from getting into an inconsistent state.

Also, Bastille is a general hardening tool and will do a lot more than just tsconvert (all optional, of course)
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

тАО07-12-2002 12:07 AM

тАО07-12-2002 12:07 AM

Solution

Re: tsconvert

Hi,

As part of the hardening process, you might be interested in the CIS Security Benchmarks for securing your server.

The CIS benchmark for HP-UX can be found at:

http://www.cisecurity.org/bench_HPUX.html

The benchmark is intended for HP-UX 10.20, 11.00 and 11.11 (11i).

After hardening your server, it is good practice to run a vulnerability scanner and perform a scan on your server.

Nessus is one great opensource scanner you can use to audit your system across the network with the latest vulnerability checks.

http://www.nessus.org

Because of its opensource and the huge pool of volunteers writing vulnerability checks for it (the scripting language to write vulnerability check is pretty easy to use), vulnerability checks always come available extremely quickly once a vulnerability is known, unlke many other similar software.

Hope this helps. Regards.

Steven Sim Kok Leong
Reply
Donald Kok
Respected Contributor

тАО07-15-2002 03:01 AM

тАО07-15-2002 03:01 AM

Re: tsconvert

The manual is at http://docs.hp.com/hpux/onlinedocs/B2355-90121/B2355-90121.html

In it you will find the idea that it is better to go to 'trusted' through sam.
Good luck
Donald
My systems are 100% Murphy Compliant. Guaranteed!!!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.