Check: GEN000000-HPUX0020
HP-UX 11.23 STIG:
GEN000000-HPUX0020
(in version v1 r8)
Title
The system must be configured to operate in a security mode. (Cat II impact)
Discussion
When operating in standard mode, account passwords are stored in the /etc/passwd file, which is world readable. By operating in either Trusted Mode or Standard Mode with Security Extensions, the system security posture is enhanced thru the addition of a secure, non-world readable password container other than /etc/passwd.
Check Content
For Trusted Mode: Determine if the /tcb directory tree exists. # ls -lLd /tcb If the /tcb directory tree does not exist, this is a finding. For SMSE: Determine if the userdb directory tree and the /etc/shadow file exists. # ls -lL /var/adm/userdb # ls -lL /etc/shadow If both the /var/adm/userdb directory tree and the /etc/shadow file do not exist, this is a finding.
Fix Text
SAM/SMH must be used to convert standard mode HP-UX to Trusted Mode (optional for SMSE). For Trusted Mode only: The following command may be used to “manually” convert from Standard Mode to Trusted Mode (note that its use is not vendor supported): # tsconvert -c For SMSE only: The following command may be used to “manually” create the /etc/shadow file with information from the /etc/passwd file (use of this commend is vendor supported). # pwconv Note that additional software bundles and/or patches may be required in order to completely convert a standard mode system to SMSE.
Additional Identifiers
Rule ID: SV-38681r2_rule
Vulnerability ID: V-960
Group Title: GEN000000-HPUX0020
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000293 |
The organization develops a current baseline configuration of the information system. |
CCI-000633 |
The organization ensures that government off-the-shelf (GOTS) or commercial-off-the-shelf(COTS) information assurance (IA) and IA-enabled information technology products have been evaluated and/or validated by the NSA or in accordance with NSA-approved procedures. |