 |
» |
|
|
|
The privrun, privedit, roleadm, authadm, and cmdprivadm HP-UX RBAC commands each generate audit records.
The following attributes are included in each audit record: Authorizations (operation, object) Result of event (success or failure)
Auditing Based on HP-UX RBAC Criteria and the /etc/rbac/aud_filter
File | |
HP-UX RBAC Version B.11.23.02 and later support
the use of an audit filter file to identify specific HP-UX RBAC criteria
to audit. You can create a filter file named /etc/rbac/aud_filter to identify specific roles, operations, and objects to generate
audit records for. Audit records are generated only if the attributes
of a process match all three entries (role, operation, and object)
found in /etc/rbac/aud_filter. If a user's
role and associated authorization are not found in the file or do
not explicitly match, then no audit records specific to role-to-authorization
are generated. Authorized users can edit the /etc/rbac/aud_filter file using a text editor and specify the role and authorization
to be audited. Each authorization is specified in the form of operation,
object pairs. All authorizations associated with a role must be specified
in a single entry. Only one authorization can be specified per role
on each line—however, the * wildcard is
supported. The following are the supported entries and format for
the /etc/rbac/aud_filter file: The following list explains each of the /etc/rbac/aud_filter entries: - role
Any valid role defined in /etc/rbac/roles. If * is specified,
all roles can be accessed by the operation. - operation
A specific operation that
can be performed on an object. For example, hpux.printer.add is the operation of adding a printer. Alternatively, hpux.printer.* is the operation of either adding
or deleting a printer. If * is specified, all
operations can be accessed by the operation. - object
The object the user can
access. If * is specified, all objects can be
accessed by the operation.
The following are example /etc/rbac/aud_filter entries that specify how to generate audit records for the role
of SecurityOfficer with the authorization of (hpux.passwd, /etc/passwd), and for the Administrator role with authorization to perform the hpux.printer.add operation on all objects. SecurityOfficer, hpux.passwd, /etc/passwd
Administrator, hpux.printer.add, * |
| | | |  | NOTE: Use an editor such as vi to
directly edit the /etc/rbac/aud_filter file.
The HP-UX RBAC administrative commands do not interface with /etc/rbac/aud_filter. | | | | |
Procedure for Auditing HP-UX RBAC Criteria | |
The following steps describe how to configure an
audit process to audit HP-UX RBAC criteria on the system: Configure
the system to audit Passed or Failed events for the Administrator
events by using the following command: Configure
the location and name of the audit output file and enable auditing
on the system by using the following command: # audsys -n -c /tmp/aud.out -s 2048 |
Execute
an HP-UX RBAC command, for example: # /usr/sbin/authadm add newauth |
Open
the audit output file and search for the records on the authadm command by using the following command: # audisp /tmp/aud.out |fgrep authadm |
|
Printable version
