Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 10 Audit Administration

HP-UX RBAC Auditing


Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

The privrun, privedit, roleadm, authadm, and cmdprivadm HP-UX RBAC commands each generate audit records. The following attributes are included in each audit record:

  • User name

  • UID

  • Role

  • Authorizations (operation, object)

  • Time of event

  • Result of event (success or failure)

Auditing Based on HP-UX RBAC Criteria and the /etc/rbac/aud_filter File

HP-UX RBAC Version B.11.23.02 and later support the use of an audit filter file to identify specific HP-UX RBAC criteria to audit. You can create a filter file named /etc/rbac/aud_filter to identify specific roles, operations, and objects to generate audit records for. Audit records are generated only if the attributes of a process match all three entries (role, operation, and object) found in /etc/rbac/aud_filter. If a user's role and associated authorization are not found in the file or do not explicitly match, then no audit records specific to role-to-authorization are generated.

Authorized users can edit the /etc/rbac/aud_filter file using a text editor and specify the role and authorization to be audited. Each authorization is specified in the form of operation, object pairs. All authorizations associated with a role must be specified in a single entry. Only one authorization can be specified per role on each line—however, the * wildcard is supported. The following are the supported entries and format for the /etc/rbac/aud_filter file:

role, operation, object

The following list explains each of the /etc/rbac/aud_filter entries:


Any valid role defined in /etc/rbac/roles. If * is specified, all roles can be accessed by the operation.


A specific operation that can be performed on an object. For example, hpux.printer.add is the operation of adding a printer. Alternatively, hpux.printer.* is the operation of either adding or deleting a printer. If * is specified, all operations can be accessed by the operation.


The object the user can access. If * is specified, all objects can be accessed by the operation.

The following are example /etc/rbac/aud_filter entries that specify how to generate audit records for the role of SecurityOfficer with the authorization of (hpux.passwd, /etc/passwd), and for the Administrator role with authorization to perform the hpux.printer.add operation on all objects.

SecurityOfficer, hpux.passwd, /etc/passwd Administrator, hpux.printer.add, *
NOTE: Use an editor such as vi to directly edit the /etc/rbac/aud_filter file. The HP-UX RBAC administrative commands do not interface with /etc/rbac/aud_filter.

Procedure for Auditing HP-UX RBAC Criteria

The following steps describe how to configure an audit process to audit HP-UX RBAC criteria on the system:

  1. Configure the system to audit Passed or Failed events for the Administrator events by using the following command:

    # audevent -PFe admin
  2. Configure the location and name of the audit output file and enable auditing on the system by using the following command:

    # audsys -n -c /tmp/aud.out -s 2048
  3. Execute an HP-UX RBAC command, for example:

    # /usr/sbin/authadm add newauth
  4. Open the audit output file and search for the records on the authadm command by using the following command:

    # audisp /tmp/aud.out |fgrep authadm
NOTE: For more information, see audit(5), audevent(1M), audsys(1M), and audisp(1M) to learn more about auditing HP-UX systems.
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.