Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Appendix A Trusted Systems

Setting Up a Trusted System

» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

To set up a trusted system, follow these steps:

  1. Establish an overall security policy appropriate to your work site.

  2. Inspect all existing files on the system for security risks, and remedy them. This is important before you convert to a trusted system. Thereafter, examine the files regularly, or when you suspect a security breach. See Section  in Chapter 6

  3. Back up the file system for later recovery of user files. You should also back up the /etc/passwd file to tape before the conversion.

    You can use any of the backup and recovery programs provided by HP-UX for the initial backup and recovery. After security features are implemented, however, use only fbackup and frecover, which preserve and restore access control lists (ACLs). For more information, see fbackup(1M) and frecover(1M).

  4. Convert to a trusted system. Conversion to a trusted system is a reversible operation.

    To convert to a trusted system, run HP SMH and click System Security Policies. It will get to the Convert to trusted system prompt. You might receive a confirmation prompt. Press Y to begin the conversion process.

    When you convert to a trusted system, the conversion program does the following actions:

    • Creates a new, protected password database in /tcb/files/auth/.

    • Moves encrypted passwords from the /etc/passwd file to the protected password database and replaces the password field in /etc/passwd with an asterisk (*).

    • Forces all users to use passwords.

    • Creates an audit ID number for each user. The audit ID remains unchanged throughout a user's history. It uniquely identifies a user. Note that audit ID is getting deprecated along with Trusted System in HP-UX 11i v3, and is being replaced by audit tag that is dynamically assigned each time a user successfully starts a new login session. See Chapter 10 for more information about audit tags.

    • Turns on the audit flag for all existing users.

    • Converts the at, batch, and crontab input files to use the submitter's audit ID.

  5. Verify that the audit files are on the system:

    1. Use swlist -l fileset to list the installed file sets. Look for the fileset called SecurityMon, which contains the auditing program files. To reduce the listing, enter the following command:# swlist -l fileset | grep Security

    2. In addition, verify that the following files (not specified in SecurityMon) also exist:

      • /etc/rc.config.d/auditing contains parameters to control auditing. You can modify this file with SMH or by hand with a text editor.

      • /sbin/rc2.d/S760auditing is the script that starts auditing. Do not modify this file.

  6. After converting to a trusted system, you can use the audit subsystem and run the HP-UX system as a trusted system.

    NOTE: On HP-UX 11i v3, an auditing system also works on a system without converting to a trusted system.

    See Chapter 10 for more information.

If you need to convert from a trusted system back to a standard system, run HP SMH and use the Auditing and Security window. The Audited Events, Audited System Calls, and Audited Users screens all provide an unconvert option.

TIP: One way to determine if the system has been converted to a trusted system is to look for/tcb files. If they exist, then you have a trusted system.
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.