Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP Servers and Workstations: Managing Systems and Workgroups > Chapter 8 Administering a System: Managing System Security

Setting Up Your Trusted System
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

To set up and maintain a Trusted System, follow these steps:

  1. Establish an overall security policy appropriate to your work site. See “Planning System Security”.

  2. Inspect all existing files on your system for security risks, and remedy them. This is important before you convert to a Trusted System. Thereafter, examine your files regularly, or when you suspect a security breach. See “Guidelines for Mounting and Unmounting a File System” for useful procedures.

  3. Back up your file system for later recovery of user files. You should also back up the /etc/passwd file to tape before the conversion.

    You can use any of the backup and recovery programs provided by HP-UX for your initial backup and recovery. Once security features are implemented, however, use only fbackup and frecover, which preserve and restore access control lists (ACLs). See fbackup(1M) and frecover(1M).

  4. Convert to a Trusted System. (Conversion to a Trusted System is an easily reversible operation.)

    To convert to a Trusted System, run SAM, highlight “Auditing and Security” and activate any of the audit screens to get to the Convert to Trusted System prompt. You may receive a confirmation prompt. Press Y to begin the conversion process.

    When you convert to a Trusted System, the conversion program:

    • Creates a new, protected password database in /tcb/files/auth/.

    • Moves encrypted passwords from the /etc/passwd file to the protected password database and replaces the password field in /etc/passwd with an asterisk (*).

    • Forces all users to use passwords.

    • Creates an audit ID number for each user.

    • Turns on the audit flag for all existing users.

    • Converts the at, batch and crontab input files to use the submitter’s audit ID.

    • Starting with HP-UX 11.0, changes the default value for umask to 077 (-rw-------, drwx------); see umask(1).

  5. Verify that the audit files are on your system:

    1. Use swlist -l fileset to list the installed file sets. Look for the file set called SecurityMon which contains the auditing program files. To reduce the listing, you might try

      swlist -l fileset | grep Security

    2. In addition, verify that the following files (not specified in SecurityMon) also exist:

      • /etc/rc.config.d/auditing contains parameters to control auditing. You may modify this file with SAM or by hand.

      • /sbin/rc2.d/S760auditing is the script that starts auditing. It should not be modified.

  6. After conversion to a Trusted System, you are ready to use your audit subsystem and run your HP-UX system as a Trusted System. To enable auditing, run SAM and use the “Auditing and Security” window.

    You may also enable auditing without running SAM, by manually editing the script in /etc/rc.config.d/auditing.

If you need to convert from a Trusted System back to a standard system, run SAM and use the “Auditing and Security” window. The “Audited Events”, “Audited System Calls”, and “Audited Users” selections all provide an unconvert option.

A simple way for users to tell if their system has been converted to a Trusted System is to look for the “last successful/unsuccessful login” message that is displayed by a Trusted System at user login.

The following sections provide detailed information on HP-UX security features and basic security tasks.



Trusted System Security
  		 


Auditing a Trusted System  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1997-2006 Hewlett-Packard Development Company, L.P.