HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software

HP-UX 11i Security Containment

Administrator's Guide

Version B.11.23.02

HP Part Number: 5991-8678

Published: E0606

Edition: HP-UX 11i v2

Summary of content (84 pages)

PAGE 1
HP-UX 11i Security Containment Administrator's Guide Version B.11.23.
PAGE 2
© Copyright 2007 Hewlett-Packard Development Company, L.P Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
PAGE 3
Table of Contents About This Document.......................................................................................................13 Intended Audience................................................................................................................................13 New and Changed Information in This Edition...................................................................................13 Publishing History..........................................................................
PAGE 4
HP-UX RBAC Example Usage and Operation................................................................................32 Planning the HP-UX RBAC Deployment.............................................................................................33 Step 1: Planning the Roles...............................................................................................................33 Step 2: Planning Authorizations for the Roles............................................................................
PAGE 5
Activating Compartments....................................................................................................................60 Modifying Compartment Configuration..............................................................................................60 Changing Compartment Rules........................................................................................................61 Changing Compartment Names...............................................................................
PAGE 6
PAGE 7
List of Figures 3-1 3-2 5-1 HP-UX RBAC Architecture...........................................................................................................32 Example Operation After Invoking privrun.................................................................................32 Compartment Architecture...........................................................................................................
PAGE 8
PAGE 9
List of Tables 1 Publishing History Details.................................................................................................................13 2 HP-UX 11i Releases............................................................................................................................15 3-1 Example of Authorizations Per User.............................................................................................28 3-2 Example of Authorizations Per Role..................................
PAGE 10
PAGE 11
List of Examples 3-1 The authadm Command Syntax..........................................................................................................41 3-2 Example of the authadm Command Usage.........................................................................................
PAGE 12
PAGE 13
About This Document This document describes how to install, configure, and troubleshoot HP-UX 11i Security Containment on HP-UX 11i Version 2. Intended Audience This document is intended for system administrators responsible for installing, configuring, and managing HP-UX 11i Security Containment. Administrators are expected to have knowledge of HP-UX 11i v2 operating system concepts, commands, and configuration. It is helpful to have knowledge of UNIX security concepts, commands, and protocols.
PAGE 14
Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 "Chapter 1 “HP-UX 11i Security Containment Introduction”." Use this chapter to learn about the security containment features and how those features work together to secure your HP-UX 11i v2 system. "Chapter 2 “Installation”." Use this chapter to plan and execute the installation of the full HP-UX 11i Security Containment product or individual security containment components. "Chapter 3 “HP-UX Role-Based Access Control”.
PAGE 15
Table 2 HP-UX 11i Releases Release Identifier Release Name Supported Processor Architecture B.11.11 HP-UX 11i v1 PA-RISC architecture B.11.20 HP-UX 11i v1.5 Intel® Itanium® architecture B.11.22 HP-UX 11i v1.6 Intel® Itanium® architecture B.11.23 HP-UX 11i v2 Intel® Itanium® architecture B.11.23 HP-UX 11i v2 September 2004 and later PA-RISC and Intel® Itanium® architecture Related Information You can find additional information about HP-UX 11i Security Containment at http://www.docs.hp.
PAGE 16
PAGE 17
1 HP-UX 11i Security Containment Introduction This chapter contains overview information about the features of HP-UX 11i Security Containment. It addresses the following topics: • “Conceptual Overview” • “Defined Terms” • “Features and Benefits” Conceptual Overview HP-UX 11i Security Containment uses three core technologies: compartments, fine-grained privileges, and role-based access control.
PAGE 18
program to be set to the superuser using the setuid command. This allows the program great latitude in reading and modifying system resources. Privileges break up the latitude of the superuser into many different levels. The fine-grained privileges feature of HP-UX 11i Security Containment implements the concept of privileges. Isolation Compartments are a method of isolating components of a system from one another.
PAGE 19
Features HP-UX 11i Security Containment Version B.11.23.02 includes the following components: • Compartments Compartments isolate unrelated resources on a system, to prevent catastrophic damage to the system if one compartment is penetrated. When configured in a compartment, an application has restricted access to resources (processes, binaries, data files, and communication channels used) outside its compartment.
PAGE 20
Benefits Using HP-UX 11i Security Containment to secure your system offers the following benefits: • Integrated security You can use HP-UX Standard Mode Security Extensions in combination with the new security containment features to enhance the security of your HP-UX systems. • Fewer users who need full superuser access to systems Using HP-UX RBAC, you can give users specific administrator-level privileges on a system without giving those users full superuser access.
PAGE 21
2 Installation This chapter contains the information you need to install and remove HP-UX 11i Security Containment, HP-UX Role-Based Access Control, and Standard Mode Security Extensions.
PAGE 22
IMPORTANT: The HP-UX 11i Security Containment feature includes HP-UX RBAC as one of its components. If you install the HP-UX 11i Security Containment feature on a system that has HP-UX RBAC on it as an independent software unit, you must reconfigure HP-UX RBAC before you can use it with the fine-grained privileges and compartments components of HP-UX 11i Security Containment.
PAGE 23
Installing HP-UX Role-Based Access Control The following procedure describes how to install only HP-UX RBAC from the HP-UX 11i Security Containment bundle. To download and install HP-UX RBAC as a separate product, refer to the HP-UX RBAC Version B.11.23.04 Release Notes on http://docs.hp.com. To download and install the full HP-UX 11i Security Containment feature set, refer to “Installing HP-UX 11i Security Containment”.
PAGE 24
1. 2. 3. 4. Be sure your system meets all requirements, as described in “Prerequisites and System Requirements”. Download the HP-UX 11i Security Containment bundle from Software Depot, as described in “Installing HP-UX 11i Security Containment”. Log on to your system as the root user. Install HP-UX Standard Mode Security Extensions by using the following command: # swinstall -x autoreboot=true -s /tmp/.depot TrustedMigration PHCO_32144 PHCO_32163 PHCO_32451 5.
PAGE 25
1. 2. Log in to your system as the root user. Remove HP-UX RBAC by using the following command: # swremove RBAC 3. Use the swlist command to verify that HP-UX RBAC was removed from the system. The swlist command will not report HP-UX RBAC if it was removed from the system. NOTE: You must remove HP-UX 11i Security Containment before you remove HP-UX RBAC or HP-UX SMSE, or you must remove all components at the same time.
PAGE 26
PAGE 27
3 HP-UX Role-Based Access Control The information in this chapter describes HP-UX Role-Based Access Control (HP-UX RBAC). This chapter addresses the following topics: • “Overview” • “Access Control Basics” • “HP-UX RBAC Components” • “Planning the HP-UX RBAC Deployment” • “Configuring HP-UX RBAC” • “Using HP-UX RBAC” • “Troubleshooting HP-UX RBAC” Overview Security—especially platform security—has always been an important issue for enterprise infrastructure.
PAGE 28
Access Control Basics The goal of an access control system is to limit access to resources based on a set of constraints. Typically, these constraints and their associated attributes fit into the following categories: • • • Subject: The entity attempting to access the resource. In the context of an operating system, the subject is commonly a user or a process associated with a user. Operation: An action performed on a resource. An operation can correspond directly to an application or a command.
PAGE 29
HP-UX RBAC addresses these issues by grouping users with common authorization needs into roles. Roles serve as a grouping mechanism to simplify authorization assignment and auditing. Rather than assigning an authorization directly to a user, you assign authorizations to roles. As you add users to the system, you assign them a set of roles, which determine the actions they can perform and the resources they can access.
PAGE 30
Access Control Policy Switch (ACPS) Access Control Policy Module management commands Determines whether a subject is authorized to perform an operation on an object. Evaluates HP-UX RBAC databases files and applies mapping policies to service access control requests. Edits and validates HP-UX RBAC database files.
PAGE 31
Table 3-4 HP-UX RBAC Commands Command Description privrun Invokes legacy application with privileges after performing authorization checks and optionally re-authenticating the user. privedit Allows authorized users to edit files that are under access control. roleadm Edits of role information in the /etc/rbac/user_role, /etc/rbac/role_auth, and /etc/rbac/roles files. authadm Edits authorization information in the /etc/rbac/role_auth and /etc/rbac/roles files.
PAGE 32
Figure 3-1 HP-UX RBAC Architecture /usr/sbin/ cmdprivadm Command, Auth Privilege Database privrun access - control aware application privedit PAM, Name Service Switch access - control aware application ACPS API Access Control Policy Switch (ACPS) PAM Service Modules User Information (for example /etc/passwd ) ACPS SPI Other Policy ACPM Local RBAC ACPM KEY : Privilege Wrapper Commands User Role Database Valid System Roles Access Control Switch Role Authorization Database Valid System
PAGE 33
1. 2. 3. 4. 5. A process, specifically a shell, associated with the user executes privrun with the goal of executing a target command with elevated privilege. The target command line (command and arguments) is explicitly passed to privrun, and the UID of the invoking user is implicitly passed via the process context. privrun attempts to find a match (or set of matches) within the /etc/rbac/cmd_priv database for the specified command line.
PAGE 34
1. 2. 3. List the system commands commonly used by each role. Compare the target commands from step 1 against the supplied sample /etc/rbac/cmd_priv database. If you find matching entries after performing the previous steps, use those entries as a guide for assigning authorizations. For example, assume one of your desired roles is UserOperator, which commonly runs such commands as useradd, usermod, userdel, and so on.
PAGE 35
— For example, if a compartment is configured to disallow privileges, this specification prevents privrun from providing the privileges to the application in that compartment because privrun does not have the privileges itself. Note that by default, sealed compartments are configured to disallow the POLICY compound privilege. For privrun to invoke another application in a compartment, privrun must assert the CHANGECMPT privilege.
PAGE 36
Table 3-6 Example Planning Results Users Roles Authorizations Typical Commands (Note: Objects Assumed to Be *) chandrika, UserOperator rwang hpux.user.* /usr/sbin/useradd hpux.security.* /usr/sbin/usermod bdurant, prajessh NetworkOperator hpux.network.* /sbin/init.d/inetd luman Administrator hpux.* /opt/customcmd company.customauth Step 1: Configuring Roles Configuring roles for users is a two-step process: 1. 2. Create roles. Assigning roles to users or groups.
PAGE 37
NOTE: The default configuration files delivered with HP-UX RBAC contain a single preconfigured role: Administrator. By default, the Administrator role is assigned all HP-UX system authorizations (hpux.*, *) and is associated with the root user. After defining valid roles, you can assign them to one or more users or UNIX groups. Attempting to assign a role that has not been created to users will display an error message indicating that the role does not exist.
PAGE 38
commands because it can be difficult to determine the target of an action from the command name. An example of this object ambiguity is the /usr/sbin/passwd command. The passwd command can operate on a number of repositories, for example, the /etc/passwd file, an NIS table, and an LDAP entry. You cannot determine the actual object by looking at the command line, so it is typically easiest to require that the user have the operation on all objects, for example: (hpux.security.passwd.change, *).
PAGE 39
Use the cmdprivadm command to edit a command's authorization and privilege information. The cmdprivadm command works in a similar fashion to roleadm and authadm, but cmdprivadm has fewer sub-operations: only addition and removal.
PAGE 40
NOTE: See cmdprivadm(1M) for information on all of the cmdprivadm arguments. Most arguments are optional and are filled in with reasonable defaults if nothing is specified. NOTE: To modify an existing entry in the /etc/rbac/cmd_priv file, you must first delete the entry and then add the updated version back in. When you use cmdprivadm to delete entries, arguments act as filters. For example, specifying the cmdprivadm delete op=foo command removes all entries where the operation is foo.
PAGE 41
Table 3-8 Example Roles Configuration Using Hierarchical Roles in HP-UX RBAC B.11.23.03 Role Authorizations Administrator UserOperator NetworkOperator (hpux.security.*, *) UserOperator (hpux.user.*, *) NetworkOperator NetworkServiceOperator (hpux.network.device.*, *) NetworkServiceOperator (hpux.network.service.*, *) Changes to the authadm Command for Hierarchical Roles In HP-UX RBAC B.11.23.
PAGE 42
Also be aware that circular role definitions are not allowed. For example, assigning RoleA to RoleB, RoleB to RoleC, and RoleC to RoleA, is not allowed. The authadm command will detect an attempt to perform such a circular definition and will report an error. Configuring HP-UX RBAC with Fine-Grained Privileges NOTE: HP-UX RBAC Version B.11.23.01 does not support the Fine-Grained Privileges component of the HP-UX 11i Security Containment feature.
PAGE 43
fine-grained privilege and without UID=0 if the user has the (hpux.adm.mount, *) authorization. As described in “Using the privrun Command to Run Applications with Privileges”, the privrun -p command option matches only the entries in the /etc/rbac/cmd_priv database file that have the privileges specified by the -p option.
PAGE 44
The following is an example cmdprivadm command that configures the /sbin/init.d/hpws_apache command to run only in the apache compartment, which is defined by the /etc/cmpt/apache.rules compartment rule: # cmdprivadm add cmd='/sbin/init.d/hpws_apache -a start' \ op=hpux.network.service.
PAGE 45
NOTE: Refer to “Auditing” for more information about auditing. Auditing Based on HP-UX RBAC Criteria and the /etc/aud_filter File NOTE: HP-UX RBAC Version B.11.23.01 does not support auditing based on the HP-UX RBAC criteria and the /etc/rbac/aud_filter file. HP-UX RBAC Version B.11.23.02 and later support the use of an audit filter file to identify specific HP-UX RBAC criteria to audit.
PAGE 46
# audsys -n -c /tmp/aud.out -s 2048 3. Execute an HP-UX RBAC command, for example: # /usr/sbin/authadm add newauth 4. Open the audit output file and search for the records on the authadm command by using the following command: # audisp /tmp/aud.out |fgrep authadm 5. (Optional) Disable auditing on the system by using the following command: # audsys -f NOTE: See audit(5), audevent(1m), audsys(1m), and audisp(1m) to learn more about auditing HP-UX systems.
PAGE 47
-a -c -p -x -v -h -t Matches only those entries requiring the specified authorization. Authorization is defined as (operation, object) pairs in the /etc/rbac/cmd_priv database file. The specified authorization must exactly match the authorization present in the /etc/rbac/cmd_priv file—wildcards are not supported. Matches the specified compartment in the /etc/rbac/cmd_priv database file. The specified compartment must exactly match the compartment present in /etc/rbac/cmd_priv.
PAGE 48
NOTE: Refer to the privrun(1m) and rbac(5) manpages for more about using the privrun command. HP-UX RBAC in Serviceguard Clusters Serviceguard does not support the use of HP-UX RBAC and privrun to grant access to Serviceguard commands. Serviceguard version A.11.16 implemented its own Role-Based Access Control by specifying Access Control Policies through package and cluster configuration files, providing cluster-aware policies for Serviceguard operations.
PAGE 49
NOTE: When you use privedit to invoke an editor to edit a file, the editor does not run with any elevated privileges. Because the editor privedit invokes does not run with elevated privileges, any attempted actions, such as shell escapes, run with the user's typical (non-elevated) privilege set. You can specify which editor privedit uses to edit the file by setting the EDITOR environment variable. If you do not set the EDITOR variable, privedit uses the default editor, vi.
PAGE 50
Refer to “HP-UX RBAC Access Control Policy Switch”, and acps.conf(4), acps(3), and rbac(5) for more information about the ACPS. Troubleshooting HP-UX RBAC The following is a list of the primary mechanisms used to troubleshoot and debug HP-UX RBAC: • • The rbacdbchk utility verifies HP-UX RBAC database syntax. The privrun -v command reports additional and relevant information.
PAGE 51
4 Fine-Grained Privileges This chapter describes the fine-grained privileges feature of HP-UX 11i Security Containment.
PAGE 52
Manpages Table 4-2 “Fine-Grained Privileges Manpages” briefly describes the fine-grained privileges manpages. Table 4-2 Fine-Grained Privileges Manpages Manpage Description privileges(5) Overview of HP-UX privileges. privileges(3) Describes fine-grained privileges interfaces. setfilexsec(1M) Describes setfilexsec functionality and syntax. getfilexsec(1M) Describes getfilexsec functionality and syntax. getprocxsec(1M) Describes getprocxsec funtionality and syntax.
PAGE 53
Table 4-3 Available Privileges (continued) Privilege Description PRIV_LIMIT Allows a process to set resource and priority limits beyond the maximum limit values. PRIV_LOCKRDONLY Allows a process to set the locks of files with read-only permissions. PRIV_MKNOD Allows a process to create character or block special files using mknod(2). PRIV_MLOCK Allows a process to access the plock system call. PRIV_MOUNT Allows a process to mount and unmount a file system.
PAGE 54
applications using HP-UX RBAC, refer to “Configuring HP-UX RBAC with Fine-Grained Privileges”. TIP: HP recommends you use HP-UX RBAC to configure applications that require variable privileges to run, depending on who is running the application.
PAGE 55
The following are compound privileges: • BASIC Basic privileges available to all processes. • BASICROOT Privileges that provide powers usually associated with UID=0. These privileges together replace the power of root. • POLICY Policy override privileges and policy configuration privileges. Policy override privileges override compartment rules. Policy configuration privileges control the configuration of fine-grained privileges.
PAGE 56
Next, add the privilege attributes you want assigned to the file. Refer to setfilexsec(1M) for more information about troubleshooting fine-grained privileges. Problem 2: A process has privileges it should not have, or does not have privileges it should have. Solution: Run the following command to determine what privileges a process has: # getprocxsec [options] [pid] The following options are available with the getprocxsec command: -p -e -r pid Displays permitted privileges for the process.
PAGE 57
5 Compartments This chapter describes the compartments feature of HP-UX 11i Security Containment. This chapter addresses the following topics: • “Overview” • “Planning the Compartment Structure” • “Modifying Compartment Configuration” • “Compartment Components” • “Compartment Rules and Syntax” • “Activating Compartments” • “Troubleshooting Compartments” • “Compartments in HP Serviceguard Clusters” Overview Compartments are a method of isolating components of a system from one another.
PAGE 58
Figure 5-1 Compartment Architecture Compartment process server_parent server_children lan cmpt 1 process relationship files and/or directories file access network parent IPC signals recorder All handler / handler /var/opt/server handler read rea logs r w d, d ea r ite ,w r it e Network spool In Figure 5-1 “Compartment Architecture”, the parent process is configured in a compartment, compartment A.
PAGE 59
Default Compartment Configuration When you enable the compartments feature, a default compartment named INIT is created. When you boot up the system, the init process belongs to this compartment. The INIT compartment is defined to have access to all other compartments. The INIT compartment is not defined in a compartment rules file.
PAGE 60
• Create a single compartment configuration file for each software component. This enables you to remove the compartment configuration easily if you remove the software from the system. You can also find all rules pertaining to the software component easily. • Some software products are shipped with compartment rules already configured. Avoid modifying these rules. Before you make modifications to shipped compartment configurations, be sure you understand the existing configuration.
PAGE 61
You can add new compartment rules, delete unneeded rules, and modify existing rules. You can also change the names of existing compartments. To modify your compartment configuration, follow these steps: Changing Compartment Rules 1. 2. (Optional) Make temporary backup copies of the configuration files you plan to modify. Either put these files outside the /etc/cmpt directory or omit the .rules suffix. Doing this lets you easily revert to your starting point if an editing problem occurs.
PAGE 62
Table 5-1 Compartment Configuration Files Configuration File Description /etc/cmpt The directory in which compartment rules files reside. /etc/cmpt/*.rules The file containing the compartment rules configured for the system. /etc/cmpt/hardlinks/hardlinks.config The file containing valid mount points to be scanned to check the consistency of compartment rules for files with multiple hardlinks pointing to them.
PAGE 63
Compartment Rules and Syntax A compartment consists of a name and a set of rules. This section describes the four types of compartment rules: • • • • File system rules IPC rules Network rules Miscellaneous rules Add rules to a rules file you create in the /etc/cmpt directory. You can edit this file using vi or a similar text editor. Your rules file must have a .rules extension. Refer to compartments(5) for additional information.
PAGE 64
For example: /* deny all permissions except read to entire system */ perm read / /* except for this directory */ perm read,write,create,unlink /var/opt/server /* just read and write log files, not create them */ perm read,write /var/opt/server/logs permissionor perm permission_list Sets permissions for a file or directory. The types of permission you can apply to a file or directory are: • none: Denies all permissions to a file or directory. • read: Controls the read access to the object.
PAGE 65
/* allow the children to access UNIX domain */ /* sockets created by the parent compartment */ grant uxsock server_children Access Specifies whether the rule is object-centric or subject-centric. The options are: • grant: Specifies an object-centric rule. This rule allows processes in the compartment compartment_name to access the specified IPC mechanism in the current compartment. • access: Specifies a subject-centric rule.
PAGE 66
process, which can run in a different compartment. Access checks are performed on the compartment containing the endpoint when the endpoint was created, not the current compartment. Additionally, the endpoint passes its compartment configuration to accepting endpoints when it receives new connections. INET domain endpoints are frequently used for interprocess communications. Be sure to configure your compartments accordingly.
PAGE 67
Protocol Specifies the networking protocol that applies to this rule. The options are: • tcp: This rule applies to the TCP protocol. • udp: This rule applies to the UDP protocol. • raw: This rule applies to any other protocol in the INET domain. The protocol number specified for this rule. The protonum option is relevant only for raw specification. (Optional) Specifies that this rule applies to a specific port. Identifies the port specified in this rule.
PAGE 68
For example: /* Disallow all privileges except mount. */ disallowed privileges all,!mount /* Disallow mount only. */ disallowed privileges none,mount disallowed privileges Specifies this as a privilege limitation rule. A comma-separated list of privileges.
PAGE 69
3. Compare the output of step 1 to the output of step 2. If they are the same, all rules are loaded into the kernel. If the output of step 1 is different from the output of step 2, go on to step 4. 4. Execute the following command: # setrules The configured rules are loaded into the kernel. Problem 2: A network interface on my compartment-enabled system is not accessible. Solution: All network interfaces must be configured in a compartment.
PAGE 70
grant server tcp port 23 ifacelan0 If this rule is specified, it appears listed under the ifacelan0 compartment output of getrules. ACCESS PROTOCOL SRCPORT Grant client tcp 0 DESPORT 23 DESCMPT telnet Compartments in HP Serviceguard Clusters If you use compartments with HP Serviceguard, you must configure all Serviceguard daemons in the default INIT compartment. However, you can configure Serviceguard packages in other compartments.
PAGE 71
6 Standard Mode Security Extensions This chapter describes the Standard Mode Security Extensions features of HP-UX 11i Security Containment. This chapter addresses the following topics: • “Overview” • “Security Attributes and the User Database” • “Auditing” Overview HP-UX Standard Mode Security Extensions (HP-UX SMSE) is a group of features that combine to enhance both user and operating system security for HP-UX 11i v2.
PAGE 72
Security Attributes and the User Database Previously, in standard mode, all HP-UX security attributes and password policy restrictions were set on a systemwide basis. The introduction of the user database enables you to set security attributes on a per-user basis, which override systemwide defaults. System Security Attributes A security attribute defines how to control security configurations, such as passwords, logins, and auditing. The security attributes description file, /etc/security.
PAGE 73
Table 6-1 User Database Configuration Files File Description /var/adm/userdb Stores most per-user information. Commands Table 6-2 “User Database Commands” briefly describes the commands you can use to modify and administer entries in the user database. Table 6-2 User Database Commands Command Description userdbset Changes attribute values configured in the user database. userdbget Displays attribute values configured in the user database.
PAGE 74
Table 6-4 User Database Manpages Manpage Description userdb(4) Provides an overview of the use of the user database. userdbset(1M) Describes userdbset functionality and syntax. userdbget(1M) Describes userdbget functionality and syntax. userdbck(1M) Describes userdbck functionality and syntax. userstat(1M) Describes the userstat functionality and syntax.
PAGE 75
Commands Table 6-5 “Audit Commands” contains a brief description of each auditing command. Table 6-5 Audit Commands Command Description audevent Changes or displays event or system call status. audisp Displays the audit records. audomon Sets the audit file monitoring and size parameters. audsys Starts and stops auditing; sets and displays audit file or directory information. userdbset Selects users to be audited by specifying the AUDIT_FLAG=1 option.
PAGE 76
1. 2. Configure the users you want to audit using the userdbset command. For more information on configuring auditing for users, refer to “Auditing Users”. Configure the events you want to edit using the audevent command. For example, to configure the admin, login, and moddac events for auditing, enter the following command: # audevent -P -F -e admin -e login -e moddac Use the audevent command with no options to display a list of events and system calls that are currently configured for auditing.
PAGE 77
3. 4. Set the audit log file monitor arguments in the /etc/rc.config.d/auditing file. Set the same values you used in step 2. (Optional) Stop system auditing using the following command: #audsys -f 5. (Optional) Set the AUDIT flag to 0 in the /etc/rc.config.d/auditing file to keep the auditing system from starting at the next system reboot. Performance Considerations Auditing increases system overhead. When performance is a concern, be selective about what events and users are audited.
PAGE 78
1. 2. Deselect auditing for all users by setting the AUDIT_FLAG=0 in the /etc/default/security file. Configure auditing for a specific user using the following command # /usr/sbin/userdbset -u user-name AUDIT_FLAG=1. If the audit system is not already enabled, use the audsys -n command to start the auditing system. Auditing changes take effect at the user's next login. Auditing Events An event is an action with security implications, such as creating a file, opening a file, or logging in to the system.
PAGE 79
processes are programmed to suspend auditing of the actions they invoke and produce one audit log entry describing the process that occurred. Processes programmed in this way are called self-auditing programs; using self-auditing programs streamlines audit log data. You can turn off self-auditing programs by turning off auditing on the system. NOTE: The list of self-auditing processes varies from system to system.
PAGE 80
NOTE: If the primary audit log continues to grow past the FSS point, a system-defined parameter, minfree, can be reached. All auditable actions are suspended for regular users at this point. Restore the system to operation by archiving the audit data, or specifying a new audit log file on a file system with space.
PAGE 81
-e process-name > file-name Displays all events for a specific process. Writes output to specified file. It can take a few minutes to prepare the record for viewing when working with large audit logs. When viewing your audit data, be aware of the following anomalies: • • • Audit data can appear inaccurate when programs that call auditable system calls supply incorrect parameters. The audit data shows what the user program passed to the kernel.
PAGE 82
PAGE 83
Index privilege limitation rules, 67 troubleshooting, 55, 68 Symbols /etc/rbac/aud_filter, 45 /etc/rbac/cmd_priv, 40 entries, 43 /var.
PAGE 84
privileges overview, 17 privrun, 46 -p, 43 examples, 47 operation, 32 options, 46 syntax, 46 R roleadm, 36 examples, 36, 37 syntax, 36 roles configuring, 36 default, 36 groups, 37 guidelines for creating, 33 root drawbacks of, 27 S security attribute defining, 72 security containment features and benefits, 18 overview, 17 self-auditing program, 79 setfilexsec command, 51, 62 superuser, 17 privileges, 18 system administration auditing guidelines, 77 auditing users, 74 defining security attributes, 72 syste