29.2 hp-ux trusted systems

7/26/2019 29.2 HP-UX Trusted Systems

1/35


2/35

root@hpeos004[] pwget -n root

root:sM.XPxuSW7HSQ:0:3::/:/sbin/sh

root@hpeos004[]

The first t!o characters$ sM$ is the salt" Someho! & must generate matching cypherte5t using a pain-te5t pass!ord$ the salt$ and the encryption agorithm" 1or my first attempt$ & !i use a pass!ord of

root" Here goes0

root@hpeos004[] echo "root\0\0\0\0sM" | /usr/lbin/makekey

sMnn9T.kL2Nucroot@hpeos004[]

root@hpeos004[]

root@hpeos004[]

& hope you can read the output ( sMnn9T.kL2Nu" There.s no match" The reason & have used four \0characters is that /usr/lbin/makekeyis e5pecting eight characters foo!ed by the t!o-character

salt" This is effectivey ho! commands ie Crack!o r' they !i try different !e-no!n pass!o rds$ comparing the cypherte5t !ith the entry in the /etc/passwdfie" They then move on to any

se%uence of the +B characters. set of digits that can constitute a vaid encrypted pass!ord" ,ventuay$ they come up !ith an ans!er" &n this case$ if & persevere$ & !oud come up !ith a string of

banana11" &f & encrypt this te5t$ & !onder !hat !i happen@

root@hpeos004[] echo "banana11sM" | /usr/lbin/makekey

sM.XPxuSW7HSQroot@hpeos004[]

root@hpeos004[]

29.2 HP-UX Trusted Systems http://book.soundonair.ru/hall2/ch29lev1sec2.html

2 of 35 11/25/2015 12:11 AM


3/35


4/35


5/35

29 2 HP UX Trusted Systems http://book soundonair ru/hall2/ch29lev1sec2 html


6/35

Such standards and evauation criteria can form the basis of a security poicy for your organi8ation" /e !on.t go into !riting a security poicy here" /e are here to ta about HP-UX Trusted Systems"

HP-UX Trusted Systems can be part of the toos you use to impement the mechanics of parts of a security poicy" /e oo at aspects of HP-UX Trusted Systems through a series of demonstrations of

the foo!ing features0

,nabing and disabing HP-UX Trusted System functionaity

The structure of the T=#

Pass!ord Po icies$ :ging$ and Pass!ord History Database

Time- and ocation-based access contros

:uditing users$ events$ and system cas

#oot :uthentication

/e !i configure these features for individua users as !e as for the system as a !hoe$ !here reevant" et.s get started"

29.2.2 Enabling and disabling HP-UX Trusted System functionality

The preferred method of converting a system to Trusted Systems is by using S:E" The resuting fies and directories that manage the Trusted =omputing #ase ;T=# are sensitive to inappropriate editing

;don.t mess it up eading to a system !hich may oc out every user$ incuding root" Such a situation !oud probaby need the use o f the Kecovery Eedia$ the Kecovery She$ and some cever bacing

out o f the T=# configuration"

To enabe Trusted Systems from !ithin S:E$ you !oud navigate from the Eain Eenu - :uditing and Security and then to any of the four sub-menus tited L:udited ,vents$L L:udited System =as$L

L:udited Users$L o r LSystem Security Po icies"L :t that point$ you receive a diaog !indo! simiar to the one sho!n in 1igure 23-2"

Figure 29-2. #on&erting to Trusted "ystems.

67ie! fu si8e image9


6 of 35 11/25/2015 12:11 AM

29 2 HP-UX Trusted Systems http://book soundonair ru/hall2/ch29lev1sec2 html


7/35

=hoosing the Yesbutton !i resut in the T=# being estabished" This incudes taing a of your pass!ords out of the /etc/passwdfie and storing them !ithin the T=#" The command that S:E is running

is the command /usr/lbin/tsconvert" Here.s the output & received !hen running tsconvert0

root@hpeos004[] /usr/lbin/tsconvert

Creating secure password database...

Directories created.

Making default files.

System default file created...

Terminal default file created...

Device assignment file created...

Moving passwords...

secure password database installed.

Converting at and crontab jobs...

29.2 HP UX Trusted Systems http://book.soundonair.ru/hall2/ch29lev1sec2.html

7 of 35 11/25/2015 12:11 AM



8/35

At and crontab files converted.

root@hpeos004[]

/e oo at the directory structure of the T=# in the ne5t section$ but Gust to give you an idea of some of the things that have happened$ here.s my /etc/passwdfie after & converted to a Trusted

System0

root@hpeos004[] more /etc/passwd

root:*:0:3::/:/sbin/sh

daemon:*:1:5::/:/sbin/sh

bin:*:2:2::/usr/bin:/sbin/sh

sys:*:3:3::/:

adm:*:4:4::/var/adm:/sbin/sh

uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico

lp:*:9:7::/var/spool/lp:/sbin/sh

nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico

hpdb:*:27:1:ALLBASE:/:/sbin/sh

oracle:*:102:102:Oracle:/home/oracle:/usr/bin/sh

www:*:30:1::/:

webadmin:*:40:1::/usr/obam/server/nologindir:/usr/bin/false

bonzo:*:101:20::/home/bonzo:/sbin/sh

mikey:*:103:20::/home/mikey:/sbin/sh

stevo:*:104:20::/home/stevo:/sbin/sh

fred:*:105:20::/home/fred:/sbin/sh

barney:*:106:20::/home/barney:/sbin/sh

wilma:*:107:20::/home/wilma:/sbin/sh

betty:*:108:20::/home/betty:/sbin/sh

9. U usted Syste s ttp://boo .sou do a . u/ a /c 9 ev sec . t

8 of 35 11/25/2015 12:11 AM


9/35



10/35

&n converting a system to a Trusted System$ !e are initiating a process !hereby a series of fies and directories are created under the directory /tcb" 1igure 23-Agives you a basic idea of !hat the fies

and directories mean"

Figure 29-'. "tructure o* t)e T#$.

:s !e can see$ each user has his o!n security fie' for e5ampe roothas a separate security fie under /tcb/files/auth/r/root" Here is the fie created on my system0

root@hpeos004[] cat /tcb/files/auth/r/root

root:u_name=root:u_id#0:\

:u_pwd=RNeo9DPApktR.:\

:u_bootauth:u_auditid#0:\

:u_auditflag#1:\

:u_pswduser=root:u_suclog#1065192971:u_lock@:chkent:

root@hpeos004[]

10 of 35 11/25/2015 12:11 AM



11/35

The fies under /tcb/files/auth/*are coectivey no!n as the !rotected !assword %ata+ase" Ony rootcan get to these fies" &f you are ooing for someone.s pass!ord$ it !i be in a fie under this

directory" There are fies and directories that contain system-!ide information as !e as user-specific information" &f you ever find t!o fies ! ith a simiar name and the second one has -tappended to it$

this is the !ay Trusted Systems performs fie ocing" &f there is a probem !ith accessing a particuar fie$ it may be due to the presence o f an od -tfie" &f so$ you shoud remove the -tmanuay$ but

mae sure there is a probem first"

29.2.'.1 FO,(T OF ( T#$ FIE

: the fies !ithin the T=# are :S=&& fies" : fies foo! a simiar structure" ,ach fie is effectivey a singe ine" The entry is referenced via the first to%enon the ine no!n as the name" The nameand

subse%uent capabilitiesare separated by a colon;0 character" ,ach entry can have * or more capabilities" :t the end of the ine is a checkentfied that muste5ist' other!ise$ a authentication routines

!i reGect the entry in its entirety" Here.s the e5ampe of the entry for rootagain0

root@hpeos004[] cat /tcb/files/auth/r/root


:u_pwd=RNeo9DPApktR.:\


:u_auditflag#1:\

:u_pswduser=root:u_suclog#1065192971:u_lock@:chkent:

root@hpeos004[]

The nameis root$ as you !oud e5pect" /e have a series of capabilities,and finay !e have the checkentfied" The name, capabilities,and checkentfied are each terminated by the co on ;0 character"

/ithout this basic structure$ the entry is deemed invaid and ignored" The capabilitiesa have a uni%ue name and can be numeric$ #ooean$ or string vaues"

4umeric vaues are of the form0 id#num"

#ooean e5pressions are of the form0 idor id@"

The reason for t!o forms is the necessity for the e5pression to be either trueor *alse" &f the capabiity is present and of the form id$ then it is true" &f the capabiity is has the @symbo appended

to it$ i"e"$ of the form id@$ then it is *alse"

String e5pressions are of the form0 id=string"

&f a capabiity is not e5picity isted$ it !i assume the defaut behavior for that capabiity as specified in the system-!ide defauts fie /tcb/files/auth/system/default" #e carefu that you understand

11 of 35 11/25/2015 12:11 AM



12/35

the defaut behavior for particuar capabiities as specified in the defaultfie before removing capabiities from a particuar database fie"

29.2.'.2 TE TT/"0 %E(""IN0 (N% OTE, T#$ FIE"

The T=# maintains a singe termina contro database" The fie is caed /tcb/files/ttys" ,ntries in this fie contro !hether ogin is ao!ed to a particuar termina$ i"e"$ !hether a termina is oced"

:dditiona capabiities reate to deays bet!een ogin attempts$ ogin timeouts$ and the ma5imum number of ogin attempts ao!ed before the termina is oced" These attributes usuay reate to directyconnected terminas and modems" ocing a pseudo-termina device fie maes itte sense because !e don.t no! !ho$ if anyone$ !i attempt to og in via a particuar pseudo-termina" :dditiona

information is maintained in this fie reating to !ho asted ogged in to the termina$ !hen he ogged in$ and the !hen the ast unsuccessfu ogin attempt !as made"

The /tcb/files/devassignfie is no!n as the de&ice assignment data+aseor the terminal control data+ase" :s the name suggests$ !e can assign devicesto particuar users' the devassignfie

contros !hich users can use particuar terminaImodems" &f users are not isted against a specific device$ everyone can use that device" :s !ith the ttysfie$ !e normay don.t ist pseudo-termina device

fies in the devassignfie"

29.2.4 Password policies, aging and password history database

/e can contro many aspects of a user.s pass!ord incuding the foo!ing0

/ho generates the pass!ord

The format of the pass!ord

The ma5imum ength of the pass!ord

/hen pass!ords e5pire

Using a pass!ord history database to avoid users from using a restricted ist of pass!ords

&f !e oo at the /tcb/files/auth/system/defaultfie$ !e can see the entities that can generate a ne! pass!ord for a user0

root@hpeos004[system] cat default

default:\

:d_name=default:\

:d_boot_authenticate@:\

:u_pwd=*:\

:u_owner=root:u_auditflag#-1:\

:u_minchg#0:u_maxlen#8:u_exp#15724800:u_life#16934400:\

:u_pw_expire_warning#604800:u_pswduser=root:u_pickpw:u_genpwd:\

12 of 35 11/25/2015 12:11 AM


13/35



14/35

root@hpeos004[pwhist] pwd

/tcb/files/auth/system/pwhist

root@hpeos004[pwhist] ll

total 12

-rw------- 1 root sys 14080 Oct 4 16:15 pwhist_0

root@hpeos004[pwhist] more pwhist_0

felix:00er4b10c59cSX1cfe43cbaE23fcb011yEa705714cBIc9f159ab:

root@hpeos004[pwhist]

/e see other uses for the /etc/default/securityconfiguration fie ater" #e carefu if you are going to edit these fies directy" Using S:E is a!ays safer" :ternatey$ you coud use the commands

/usr/lbin/modprpwand /usr/lbin/getprpw" These are the commands that S:E uses to effect changes in the protected pass!ord database" There is a manua page for them$ so & !on.t bore you !ith

any e5ampes here" :fter maing any changes$ it.s a good idea to chec the consistency of the protected pass!ord database by using the command /usr/sbin/authck0

root@hpeos004[] authck -vp

finding all entries in the Protected Password database, in /tcb/files/auth

Checking format of files in Protected Password database /tcb/files/auth

finding all entries in the Protected Password database, in /tcb/files/auth

Format of all Protected Password entries OK

14 of 35 11/25/2015 12:11 AM



15/35

Checking Protected Password against getprpwent()

Checking Protected Password against /etc/passwd

Checking Protected Password fields against those in /etc/passwd

Checking internal consistency of Protected Password fields

root@hpeos004[]

29.2.5 Time- and location-based access controls

#y defaut$ there are no restrictions !here and !hen a user can og in to the system" &f !e thin about it$ most o f our users og in at about *30** and ogout around )0**$ Eonday through 1riday" :s

yoursef the %uestion$ L/hen do hacers og in@L &t.s not normay during !oring hours for fear of being detected" & thin it maes sense that if your users fo o! a reguar ogin time pattern$ then you

shoud appy that pattern to a users ;& !oud probaby eave rootand system users out o f that pattern" /e appy these time-based access contros in a user.s protected pass!ord database fie via the

u_todcapabiity" & have highighted the restrictions for the user fredby putting them on their o!n ine0

root@hpeos004[f] cat fred

fred:u_name=fred:u_id#105:\

:u_pwd=7Hcf1zI4QmdzU:\

:u_auditid#16:\

:u_auditflag#1:\

:u_succhg#1065283999:u_pswduser=fred:u_pwchanger=root:\

:u_tod=Wk0800-1700:\

:u_suclog#1065276441:u_lock@:chkent:

root@hpeos004[f]

The Time Of Day ;TOD specification contains a day and a time component" The day component can be an abbreviated day name$ e"g"$ Eo$ Tu$ /e$ Th$ 1r$ Sa$ and Su$ or a specia day name$ e"g"$ :ny (

15 of 35 11/25/2015 12:11 AM


16/35



17/35

pts/56:v_devs=/dev/pts/56:v_type=terminal:chkent:




tty0p1:v_devs=/dev/tty0p1:v_users=fred,barney:\

:v_type=terminal:chkent:

root@hpeos004[files]

&f you are setting up ocation-based access contros from !ithin S:E$ you need to navigate to Periphera Devices - Terminas and Eodems"

29.2.6 Auditing users, events, and system calls

The motivation for activating auditing is usuay attributed to the motivation o f !anting to no! !ho caused and !hy a particuar event occurred" Usuay$ !e are not particuary interested in the norma

day-to-day activities of users" /hen something goes !rong$ !e ;and managementC suddeny !ant to no! every nuance of !hat the users !ere up toat and around the time of the incident" #efore !e

oo at setting up auditing$ you shoud no! this0

:udit has a direct and in some cases a dramatic effect on system performance because every eigibe event or system ca !i be monitored and ogged to an audit og fie"

?ou have to set aside significant dis space to eep recent audit og fies"

?ou need to manage the dis space set aside for audit og fies carefuy" Processes can become boced if there is no avaiabe dis space for audit records and a process maes a ca to an

audited system ca or event"

?ou need to monitor audit og fie at east daiy to estabish apictureof !hat is happening on your system" Thispictureof activity can be used to customi8e the events and system cas that you

are auditing" This process of reevauation shoud be a continuous one"

,nsure that you have the most recent patches for the auditing subsystem" #eing a deepy embedded subsystem$ any probems can cause maGor probems" ;Ey ))i system from Earch 2**A

media has suffered a system P:4&= !hie using 751S :=s on a system !ith auditing enabed" Turn off auditing$ and the 751S :=s behave as norma"

1irst$ !e need to set up the auditing og fies in order to accommodate the vouminous amounts of data generated by the auditing system" /e can then add users$ events$ and even system cas to the istof obGects being audited"

29.2.3.1 "ETTIN U! (U%IT O FIE"

et.s oo at the startup configuration fie that deas !ith auditing0

17 of 35 11/25/2015 12:11 AM



18/35

root@hpeos004[] cat /etc/rc.config.d/auditing

#!/sbin/sh

# @(#)B.11.11_LR

# Auditing configuration. See audsys(1m), audevent(1m)

#

# AUDITING: Set to 1 to enable the auditing system. Note: if auditing

# is enabled via SAM, the AUDITING and other configuration

# variables are ignored.

#

# PRI_AUDFILE: Pathname of file where audit records begin to be logged.

# PRI_SWITCH: switch size (maximum size in kbytes for primary audit log file)

# SEC_AUDFILE: file audit system switches to when primary reaches switch size

# SEC_SWITCH: switch size of secondary file (maximum size in kbytes for

# secondary audit log file)

#

# Note: If the system has any mounted volumes, you might want to put the

# primary and secondary audit log files on different volumes to take maximum

# advantage of audit file switching.

#

# Note: For security, the path to the audit files must not be readable or

# writable except by authorized users.

#

# AUDEVENT_ARGS:

# Arguments to the audevent command. See audevent(1m)

# There are three instances of AUDEVENT_ARGS.

#

# AUDEVENT_ARGS1 describes those events that are audited

# for both success and failure.

#

18 of 35 11/25/2015 12:11 AM



19/35

# AUDEVENT_ARGS2 describes those events that are success only.

#

# AUDEVENT_ARGS3 describes those events that are failure only.

#

# A null string for AUDEVENT_ARGSx is assigned to arguments

# that don't apply.

#

# By default, AUDEVENT_ARGS1 is set to:

# "-P -F -e moddac -e login -e admin"

# which causes audevent to deal with:

# 1) changing discretionary access control (DAC),

# 2) logging in, and

# 3) administering the system will be audited.

# While these may be a reasonable defaults on some systems,

# only the security officer/administrator can determine exactly

# what is needed.

#

# AUDOMON_ARGS: Arguments to the audomon daemon. See audomon(1m)

# By default, AUDOMON_ARGS is set to "-p 20 -t 1 -w 90".

# The audomon daemon takes the following arguments:

#

# fss = minimum percentage of free space left on an audit log file's

# file-system before switching to the secondary audit log file

# (which may reside on a separate volume/partition),

# or before taking protective action if no file space is left.

# (default: 20%)

# sp_freq = minimum wakeup interval (in minutes), at which point

# warning messages are generated on the console about

# switch points. Switch points are the maximum log file

19 of 35 11/25/2015 12:11 AM



20/35

# sizes and the percentage minimum free space specified.

# (default: 1 minute)

# warning = percentage of audit file space used or minimum free space

# used after which warning messages are sent to the console.

# (default: 90 - warning messages are sent when the files

# are 90% full or available free space is 90% used)

#

# Format: audomon -p fss -t sp_freq -w warning

#

AUDITING=0

PRI_AUDFILE=/.secure/etc/audfile1

PRI_SWITCH=1000

SEC_AUDFILE=/.secure/etc/audfile2

SEC_SWITCH=1000

AUDEVENT_ARGS1=" -P -F -e moddac -e login -e admin"

AUDEVENT_ARGS2=""

AUDEVENT_ARGS3=""

AUDEVENT_ARGS4=""

AUDOMON_ARGS=" -p 20 -t 1 -w 90"

root@hpeos004[pwhist]

1irst$ !e need to change the AUDITINGvariabe to e%ua ) in order to turn on auditing" &n doing so$ !e turn on auditing for allusers ;u_auditflag#1in user specific protected pass!ord database fies for

the events of moddac;EODify Discretionary :ccess =ontro information ( chmod$ chown$ and so on$ admin;:DE&4istrative and superuser activities$ e"g"$ rtprio$ reboot$ swapon$ hostname$ and so on

and login;login$ beieve it or not" This in itsef generates a significant amount of data" The data is stored in one of t!o audit ogfies" &f !e oo at the startup configuration fie$ both fies are stored in

the directory /.secure/etcand are caed audfile1and adufile2" /hen you understand !hy !e have t!o audit ogfies$ you reai8e that you cannotcontinue !ith this configuration"

/e have t!o audit ogfies in case the first audit ogfie fills up" /hen !e say Lfiing up$L !e are taing about a si8e !hereby the auditing system !i s!itch to the second audit ogfie" The name and si8e

of both audit ogfies is specified in the startup script via the variabes0

20 of 35 11/25/2015 12:11 AM


21/35



22/35

/audfile2 -z 97280

root@hpeos004[etc]

/e are no! ready to oo at !hich users$ events$ and system cas !e !ant to audit"

:s !e said earier$ a users are audited by defaut" To turn off auditing for a specific user$ !e use the audusrcommand0

root@hpeos004[] audusr -d fred

root@hpeos004[]

This turns off auditing for that user and sets the u_auditflagcapabiity to * ;8ero in the user.s protected pass!ord database fie" /e can simpy use the -ato audusrto turn auditing bac on"

Kemember that the defaut is to incude rootas an audited user and the events of moddac$ admin$ and loginas seected by defaut" /e audit for the successas !e as the failureof these events" This

generates a significant amount of audit data" :dding additiona events and system cas ony increases the amount of data produced"

=hoosing the ist o f events and system cas to audit is tricy" ?ou need to decide !hat are important events and !hether to audit for a success$ a faiure$ or both" This is a tricy %uestion' if someone

runs the rtpriocommand$ are you interested !hen it is a success or a faiure@ Some peope !oud say that if a other aspects of system security are sufficient$ then !e !oud ony be interested in

faiures" Ey response is that & !oud never be so bod as to assume that my system security !as a!ays competey watertightand & !oud probaby audit for both success and faiure"

Ta+le 29-1. (udit E&ent and "ystem #alls

E&ent (ssociated system call4s50 i* any

create ObGect creation ;creat;$ mdir;$ mnod;$ msgget;$ pipe;$ semget;$ shmat;$

shmget;

deete ObGect deetion ;semJunin;$ m%Junin;$ msgct;$ rmdir;$ semct;$ shmJunin;

readdac Discretionary access contro ;D:= information reading ;access;$ fstat;$ fstat+B;$

getaccess;$ stat;$ stat+B;$ stat;$ stat+B

moddac Discretionary access contro ;D:= modification ;ac;$ chmod;$ cho!n;$ fchmod;$

fcho!n;$ fsetac;$ chmod;$ cho!n;$ putpmsg;$ semop;$ setac;$ umas;

modaccess 4on-D:= modification ;chdir;$ chroot;$ in;$ ocf;$ ocf+B;$ rename;$ setgid;$setgroups;$ setpgid;$ setpgrp;$ setregid;$ setresgid;$ setresuid;$ setsid;$ setuid;$

shmct;$ shmdt;$ symin;$ unin;

22 of 35 11/25/2015 12:11 AM



23/35

E&ent (ssociated system call4s50 i* any

open ObGect opening ;e5ecv;$ e5ecve;$ ftruncate;$ ftruncate+B;$ oad;$ semJopen;$

mmap;$ mmap+B;$ m%Jopen;$ open;$ ptrace;$ shmJopen;$ truncate;$ truncate+B;

cose ObGect cosing ;cose;$ semJcose;$ m%Jcose;$ munmap;

process Process operations ;e5it;$ for;$ i;$ moc;$ moca;$ munoc;$ munoca;$

nspJinit;$ poc;$ rtprio;$ setconte5t;$ setrimit+B;$ sig%ueue;$ uimit+B;$ vfor;

removabe Kemovabe media events ;e5portfs;$ mount;$ umount;$ vfsmount;

ogin ogins and ogouts

admin administrative and superuser events ;acct;$ adGtime;$ audct;$ auds!itch;$

cocJsettime;$ mpct;$ reboot;$ schedJsetparam;$ schedJsetscheduer;$ seriai8e;$

setaudid;$ setaudproc;$ setdomainname;$ setevent;$ sethostid;$ setpriority;$

setprivgrp;$ settimeofday;$ stime;$ s!apon;$ toobo5;$utssys;

ipccreat &nterprocess =ommunication ;&P= obGect creation ;bind;$ ipccreate;$ ipcdest;$ socet;$socet2;$ socetpair;

ipcopen &P= obGect opening ;accept;$ connect;$ fattach;$ ipcconnect;$ ipcooup;$ ipcrecvcn;

ipccose &P= obGect deetion ;fdetach;$ ipcshutdo!n;$ shutdo!n;

ipcdgram &P= datagram ;sendto; and recvfrom;

uevent) User-defined event )

uevent2 User-defined event 2

ueventA User-defined event A

The user-defined eventsao! appication deveopers to incude cas to the audswitch()and audwrite()system cas" There are no hard and fast rues as to !hich events are good or bad to incude"

?ou reay need to anay8e the use of your system and !or out !hat is normalbehavior" 1rom that$ you can decide either to continue to monitor norma behavior or to incude deviations from the norm"

To add an event to be audited$ !e use the audeventcommand" Here$ & am auditing for a success ;-P and a faiure ;-F for the ipccloseevent0

root@hpeos004[] audevent -P -F -e ipcclose

root@hpeos004[] audevent -E

event: moddac: success failure

event: login: success failure

event: admin: success failure

23 of 35 11/25/2015 12:11 AM



24/35

event: ipcclose: success failure

syscall: close: success failure

syscall: chmod: success failure

syscall: chown: success failure

syscall: lchmod: success failure

syscall: stime: success failure

syscall: acct: success failure

syscall: reboot: success failure

syscall: utssys: success failure

syscall: umask: success failure

syscall: swapon: success failure

syscall: settimeofday: success failure

syscall: fchown: success failure

syscall: fchmod: success failure

syscall: sethostid: success failure

syscall: setrlimit: success failure

syscall: privgrp: success failure

syscall: setprivgrp: success failure

syscall: plock: success failure

syscall: semop: success failure

syscall: setdomainname: success failure

syscall: rfa_netunam: success failure

syscall: setacl: success failure

syscall: fsetacl: success failure

syscall: setaudid: success failure

syscall: setaudproc: success failure

syscall: setevent: success failure

syscall: audswitch: success failure

syscall: audctl: success failure

24 of 35 11/25/2015 12:11 AM



25/35

syscall: shutdown: success failure

syscall: ipcshutdown: success failure

syscall: mpctl: success failure

syscall: putpmsg: success failure

syscall: adjtime: success failure

syscall: kload: success failure

syscall: fdetach: success failure

syscall: serialize: success failure

syscall: lchown: success failure

syscall: sched_setparam: success failure

syscall: sched_setscheduler: success failure

syscall: clock_settime: success failure

syscall: toolbox: success failure

syscall: setrlimit64: success failure

syscall: modload: success failure

syscall: moduload: success failure

syscall: modpath: success failure

syscall: getksym: success failure

syscall: modadm: success failure

syscall: modstat: success failure

syscall: spuctl: success failure

syscall: acl: success failure

syscall: settune: success failure

syscall: pset_assign: success failure

syscall: pset_bind: success failure

syscall: pset_setattr: success failure

root@hpeos004[]

25 of 35 11/25/2015 12:11 AM



26/35

& need to remember to update the /etc/rc.config.d/auditingfie" & !oud update one of the AUDEVENT_ARGSvariabes to incude the arguments & Gust used on the command ine"

: good practice is to ensure that you bac up as !e as read your audit ogfie on a reguar basis" &f both the primary and audit ogfie are fu$ there is no ne5t audit ogfie$ and a process generates an

auditabe event or system ca$ that process !i be boced unti !e can resove that situation" ?ou can og in to the consoe and manage the situation" &f you have to 8ero ength the audit ogfie$ it is a

good idea that !e tae a bacup of it to maintain our audit trai"

To dispay audit events$ !e use the audispcommand" Here$ & am dispaying the successfu ;-p cas to the chownsystem ca ;-c chown bet!een the hours of 2*0** on A October and 2)0** on B

October0

root@hpeos004[] audisp -p -c chown -t 10032000 -s 10042100 /auditing/audfile1/audfile1

All users are selected.

Selected the following events:

16

All ttys are selected.

Selecting only successful events.

start time :

Oct 3 20:00:00 2003

stop time :

Oct 4 21:00:00 2003

TIME PID E EVENT PPID AID RUID RGID EUID EGID TTY

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

031004 19:22:38 6538 S 16 6537 0 0 3 0 2 ???

[ Event=chown; User=root; Real Grp=sys; Eff.Grp=bin; ]

RETURN_VALUE 1 = 0;

26 of 35 11/25/2015 12:11 AM

#



27/35

PARAM #1 (file path) = 0 (cnode);

0x00000001 (dev);

1494 (inode);

(path) = /dev/pts/1

PARAM #2 (int) = 0

PARAM #3 (int) = 3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

031004 19:28:09 6628 S 16 6609 0 0 3 0 3 ???

[ Event=chown; User=root; Real Grp=sys; Eff.Grp=sys; ]

RETURN_VALUE 1 = 0;


0x40000003 (dev);

5161 (inode);

(path) = /tcb/files/auth/r/root-t

PARAM #2 (int) = 0

PARAM #3 (int) = 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

031004 19:28:09 6628 S 16 6609 0 0 3 0 3 ???


RETURN_VALUE 1 = 0;


0x40000003 (dev);

5215 (inode);

(path) = /.Xauthority

PARAM #2 (int) = 0

27 of 35 11/25/2015 12:11 AM

PARAM #3 (i t) 3



28/35

PARAM #3 (int) = 3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

031004 19:28:09 6655 S 16 6628 0 0 3 0 3 ???


RETURN_VALUE 1 = 0;


0x40000008 (dev);

5413 (inode);

(path) = /var/dt/appconfig/appmanager/root-192.168.0.70-0

PARAM #2 (int) = 0

PARAM #3 (int) = 3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

031004 19:28:14 6674 S 16 6673 0 0 3 0 2 ???


RETURN_VALUE 1 = 0;


0x00000001 (dev);

1493 (inode);

(path) = /dev/pts/0

PARAM #2 (int) = 0

PARAM #3 (int) = 3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

031004 19:32:35 6881 S 16 6880 0 0 3 0 2 ???


28 of 35 11/25/2015 12:11 AM


29/35



30/35

/tcb/files/auth/system

root@hpeos004[system] cat default

default:\

:d_name=default:\

:d_boot_authenticate@:\

:u_pwd=*:\

:u_owner=root:u_auditflag#-1:\

:u_minchg#0:u_maxlen#8:u_exp#15724800:u_life#16934400:\

:u_llogin#17280000:u_pw_expire_warning#604800:u_pswduser=root:u_pickpw:\

:u_genpwd:u_restrict:u_nullpw:u_genchars:\

:u_genletters:u_suclog#0:u_unsuclog#0:u_maxtries#3:\

:u_lock:\

:t_logdelay#2:t_maxtries#10:t_login_timeout#0:\

:chkent:

root@hpeos004[system]

The capabiity is d_boot_authenticate" :s you can see$ it is disabed by defaut" &f !e enabe it$ then !e can seect !hich users are ao!ed to boot the system to singe-user mode0

root@hpeos004[r] pwd

/tcb/files/auth/r

root@hpeos004[r] cat root


:u_pwd=XfxOmormowsLk:\


:u_auditflag#1:\

30 of 35 11/25/2015 12:11 AM

:u_succhg#1065292066:u_pswduser=root:u_suclog#1065342673:u_suctty=console:\



31/35

g p g y

:u_unsuclog#1065292035:u_lock@:chkent:

root@hpeos004[r]

The capabiity !e are ooing for is u_bootauth" :s you can see$ it is automaticay incuded for root$ so !hen !e enabe boot authentication in the defaut fie$ rootcan automaticay boot in singe-user

mode" /e coud seect other users that are abe to boot in singe-user mode$ maybe another user !e trust$ e"g"$ an operatoror adminuser if you have one configured" :ternativey$ no! !e no! that

editing the defaut fie and adding an @symbo to the d_boot_authenticatecapabiity turns off boo t authentication$ meaning that !e can use the Kecovery Eedia and the Kecovery She to effect such a

change if absoutey necessary"

&n this e5ampe$ & am ao!ing the user fredto boot the system in singe-user mode0

root@hpeos004[f] cat fred

fred:u_name=fred:u_id#105:\

:u_pwd=7Hcf1zI4QmdzU:\

:u_auditid#16:\

:u_bootauth:\

:u_auditflag#0:\

:u_succhg#1065283999:u_pswduser=fred:u_suclog#1065285851:u_suctty=pts/ta:\

:u_unsuclog#1065285813:u_unsuctty=pts/ta:u_lock@:chkent:

root@hpeos004[f]

4o! fred!i attempt to boot the system in singe-user mode" #ecause !e are etting fredboot the system in singe-user mode$ you might !ant to consider etting fredshut the system do!n for a

reboot or hat" These are competey unreated subGects$ but it did occur to me that if the rootaccount !as oced for !hatever reason and !e coudn.t og in as root$ then it !oud a good idea to have a

trusted user !ho coud issue a shutdowncommand in order to reboo t the system in a consistent manner" Here$ & have configured the /etc/shutdown.allowfie to ao! fredto shut do!n this system0

31 of 35 11/25/2015 12:11 AM

root@hpeos004[f] cat /etc/shutdown.allow



32/35

# let root use shutdown

hpeos004 root

# Other authorized users

hpeos004 fred

root@hpeos004[f]

4o! !e can et fredshut the system do!n and boot the system in singe-user mode0

Processor is booting from first available device.

To discontinue, press any key within 10 seconds.

Boot terminated.

---- Main Menu --------------------------------------------------------------

Command Description

------- -----------

BOot [PRI|ALT|] Boot from specified path

PAth [PRI|ALT] [] Display or modify a path

SEArch [DIsplay|IPL] [] Search for boot devices

32 of 35 11/25/2015 12:11 AM

COnfiguration menu Displays or sets boot values



33/35

INformation menu Displays hardware information

SERvice menu Displays service commands

DIsplay Redisplay the current menu

HElp [|] Display help for menu or command

RESET Restart the system

----

Main Menu: Enter command or menu > bo pri

Interact with IPL (Y, N, or Cancel)?> y

Booting...

Boot IO Dependent Code (IODC) revision 1

HARD Booted.

ISL Revision A.00.43 Apr 12, 2000

ISL> hpux -is

Boot

: disk(0/0/1/1.15.0.0.0.0.0;0)/stand/vmunix

10018816 + 1753088 + 1500016 start 0x1f3fe8

alloc_pdc_pages: Relocating PDC from 0xf0f0000000 to 0x3fb01000.

...

33 of 35 11/25/2015 12:11 AM



34/35

entry 0 - major is 64, minor is 0x2; start = 0, size = 4194304

Starting the STREAMS daemons-phase 1

Checking root file system.

file system is clean - log replay is not required

Root check done.

Create STCP device files

$Revision: vmunix: vw: -proj selectors: CUPI80_BL2000_1108 -c 'Vw for

CUPI80_BL2000_1108 build' -- cupi80_bl2000_1108 'CUPI80_BL2000_1108'

Wed Nov 8 19:24:56 PST 2000 $

Memory Information:

physical page size = 4096 bytes, logical page size = 4096 bytes

Physical: 1048576 Kbytes, lockable: 742712 Kbytes, available: 862072 Kbytes

/sbin/ioinitrc:

/sbin/krs_sysinit:

INITSH: /sbin/init.d/vxvm-startup2: not found

INIT: Overriding default level with level 's'

Boot Authentication:

Please enter your login name: fred

Password:

INIT: SINGLE USER MODE

34 of 35 11/25/2015 12:11 AM

INIT: Running /sbin/sh



35/35

#

#y entering fred.s pass!ord$ & am no! ogged in as rootin singe-user mode" 1rom here$ & can mae any changes necessary and bring the system to muti-user mode"

NOTE0 :t the time of this !riting$ a separate product for HP-UX ))i ;version ) caed $oot (ut)enticator *or "tandard ode !-UXis avaiabe for free do!noad from http0IIsoft!are"hp"com-

Security and Eanageabiity" This provides the features of boot authentication !ithout converting the system to a Trusted System" & eave it up to you to investigate this further if you are interested"

< Day Day Up >

35 of 35 11/25/2015 12:11 AM

29.2 hp-ux trusted systems

Documents