HPE Community
Operating System - HP-UX
1827790 Members
2912 Online
109969 Solutions
New Discussion

useradd on trusted systems

 
Rick Garland
Honored Contributor

‎09-14-2005 05:53 AM

‎09-14-2005 05:53 AM

useradd on trusted systems

Hi all:

Got HPUX 11.i on several systems - all are trusted systems. In process of making a password policy for the user community.

I would like to add users with the password restrictions. Examples, u_maxlen, u_minchg, u_exp, u_life, etc.

I have been looking in /etc/default/useradd and /tcb/files/auth/system/default. Not sure which to do. Also what kind of syntax to use?

I have been looking for something to assist me but no luck. Is there a doco somewhere that can describe this?

Many thanks!

0 Kudos
Reply
10 REPLIES 10
Rick Garland
Honored Contributor

‎09-14-2005 05:57 AM

‎09-14-2005 05:57 AM

Re: useradd on trusted systems

OK, found part of my answer in SAM under Auditing and Security.

How about a command line?

0 Kudos
Reply
Doug O'Leary
Honored Contributor

‎09-14-2005 06:01 AM

‎09-14-2005 06:01 AM

Re: useradd on trusted systems

Hey;

You can munge those files; however, /etc/default/security is quite a bit easier. It is generated by default in 11.23; however, you can use it in 11.11. man security to get all the relavent entries.

PASSWORD_MAXDAYS
PASSWORD_MINDAYS

are two that should be helpful.

Comparing the man page between 11.11 and 11.23, though, it looks like HP expanded that quite a bit in the later version. Might be worth a shot, at any rate...

HTH;

Doug

------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
0 Kudos
Reply
Doug O'Leary
Honored Contributor

‎09-14-2005 06:02 AM

‎09-14-2005 06:02 AM

Re: useradd on trusted systems

Just saw your additional post. Command line to manipulate the TCB entries in /tcb/files/auth/system/default are modprpw.

man prpwd for specifics...

Doug

------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
0 Kudos
Reply
Zigor Buruaga
Esteemed Contributor

‎09-14-2005 06:04 AM

‎09-14-2005 06:04 AM

Re: useradd on trusted systems

Hi,

Not sure if this is what you are looking for, but maybe you want to take a look at this thread:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=45809

Regards,
Zigor
0 Kudos
Reply
Mel Burslan
Honored Contributor

‎09-14-2005 06:17 AM

‎09-14-2005 06:17 AM

Re: useradd on trusted systems

Rick,

As the trusted privilege manipulation from command line is not the preferred method of manipulaing things by HP (they want you to perform these tasks from SAM most of the time) I am not quite comfy with using modprpw man pages and trying out options.

I found out the "view SAM log" function in sam and doing minimal increments in the policies, one step at a time, I got successful results, capturing the comand line equivalents of these obscure processes.

________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Rick Garland
Honored Contributor

‎09-14-2005 06:30 AM

‎09-14-2005 06:30 AM

Re: useradd on trusted systems

OK, I see most of the results I am wanting by using the /etc/default/security. NOTE; as pointed out, additional features are listed in the man pages for security in 11.23 than in 11.11.

What about the /tcb/files/auth/system/default file? How is this file used? Does it input into any commands? Such as useradd?

0 Kudos
Reply
Bill Hassell
Honored Contributor

‎09-14-2005 06:43 AM

‎09-14-2005 06:43 AM

Re: useradd on trusted systems

The command line options for modprpw will allow you to modify the TCB database entries. As you have seen, /usr/lbin is a special backend directory, designed only to be used by other frontend programs such as sam. However, when you are managing very large user lists (dozens to hundreds or more), sam just doesn't cut it.
So the man pages for modprpw and getprpw were released for 11.11 as well as added to docs.hp.com. Now there is always a disclaimer, somethinglike:

/usr/lbin is a support directory of backend commands used by other programs such as SAM and they are subject to unannounced changes.

After years (10.01, 10.10, 10.20, 11.00...) of asking, the modprpw and getprpw commands were finally documented and should be stable for 10.20 through 11.11v2 so I would not worry too much about the commands changing or disappearing any time soon. As long as you write scripts that test for exit codes, you should have ample warning about changes in these two programs.

Note that there are actually several places where security policies are set. Global policies are found on both the /tcb...syste/default file as well as the /etc/default/security files. And most important: the options shown in man security relate to the current security patches on your system. Latest patches = more options.

The individual database entries for each user are documented in the getprpw and modprpw man pages. For 11.00, the man page was not made available so you have to borrow it from an 11.11 system or read it online at docs.hp.com.


Bill Hassell, sysadmin
0 Kudos
Reply
Doug O'Leary
Honored Contributor

‎09-14-2005 06:45 AM

‎09-14-2005 06:45 AM

Re: useradd on trusted systems

Hey;

If you cat out a couple of user tcb protected files, you'll notice that most of the flags in the default file are listed in the individual files. Useradd typically handles /etc/passwd type fields (gecos, uid, gid, etc).

The TCB record, on the other hand, handles the more esoteric security related items; is the account locked, max days, max lifetime, etc.

So, a typical scenario, at least in my experience, would be

1. Set up /etc/default/useradd for the standard useradd things.
2. Set up /tcb/files/auth/system/default for the site specific security policy
3. Use useradd to add users to the system.
4. User modprpw to tweak security settings as needed for individual users.

Now, the more arcane item is which takes precedence: /etc/default/security or /tcb/files/auth/system/default? My suspician is that the default file uses the security file to determine its "defaults"; however, I don't know for sure nor do I know what would happen if the two were in conflict...

HTH;

Doug

------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
0 Kudos
Reply
Rick Garland
Honored Contributor

‎09-14-2005 06:50 AM

‎09-14-2005 06:50 AM

Re: useradd on trusted systems

What are some of the options that can go into the /etc/default/useradd file?

What are the defaults?

0 Kudos
Reply
Doug O'Leary
Honored Contributor

‎09-14-2005 07:02 AM

‎09-14-2005 07:02 AM

Re: useradd on trusted systems

Hey;

From the useradd man page:

-D Manages the defaults for various options. When useradd is invoked with this option only, the default values for group, base_dir, skel_dir, shell, inactive, expire, and update_homedir_ownership are displayed. Invoking useradd with this option and other allowed options sets the default values for those options.

Or, you can update the /etc/default/useradd file manually..

Doug

------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.