The privrun, privedit, roleadm, authadm, and cmdprivadm HP-UX RBAC commands each generate audit records.
The following attributes are included in each audit record:
Authorizations (operation, object)
Result of event (success or failure)
Auditing Based on HP-UX RBAC Criteria and the /etc/rbac/aud_filter
HP-UX RBAC Version B.11.23.02 and later support
the use of an audit filter file to identify specific HP-UX RBAC criteria
to audit. You can create a filter file named /etc/rbac/aud_filter to identify specific roles, operations, and objects to generate
audit records for. Audit records are generated only if the attributes
of a process match all three entries (role, operation, and object)
found in /etc/rbac/aud_filter. If a user's
role and associated authorization are not found in the file or do
not explicitly match, then no audit records specific to role-to-authorization
Authorized users can edit the /etc/rbac/aud_filter file using a text editor and specify the role and authorization
to be audited. Each authorization is specified in the form of operation,
object pairs. All authorizations associated with a role must be specified
in a single entry. Only one authorization can be specified per role
on each line—however, the * wildcard is
supported. The following are the supported entries and format for
the /etc/rbac/aud_filter file:
The following list explains each of the /etc/rbac/aud_filter entries:
Any valid role defined in /etc/rbac/roles. If * is specified,
all roles can be accessed by the operation.
A specific operation that
can be performed on an object. For example, hpux.printer.add is the operation of adding a printer. Alternatively, hpux.printer.* is the operation of either adding
or deleting a printer. If * is specified, all
operations can be accessed by the operation.
The object the user can
access. If * is specified, all objects can be
accessed by the operation.
The following are example /etc/rbac/aud_filter entries that specify how to generate audit records for the role
of SecurityOfficer with the authorization of (hpux.passwd, /etc/passwd), and for the Administrator role with authorization to perform the hpux.printer.add operation on all objects.
SecurityOfficer, hpux.passwd, /etc/passwd
Administrator, hpux.printer.add, *
|NOTE: Use an editor such as vi to
directly edit the /etc/rbac/aud_filter file.
The HP-UX RBAC administrative commands do not interface with /etc/rbac/aud_filter. |
Procedure for Auditing HP-UX RBAC Criteria
The following steps describe how to configure an
audit process to audit HP-UX RBAC criteria on the system:
the system to audit Passed or Failed events for the Administrator
events by using the following command:
the location and name of the audit output file and enable auditing
on the system by using the following command:
# audsys -n -c /tmp/aud.out -s 2048
an HP-UX RBAC command, for example:
# /usr/sbin/authadm add newauth
the audit output file and search for the records on the authadm command by using the following command:
# audisp /tmp/aud.out |fgrep authadm