Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software
41424344454647484950
The following is an example cmdprivadm command that configures the
/sbin/init.d/hpws_apache command to run only in the apache compartment, which is
defined by the /etc/cmpt/apache.rules compartment rule:
# cmdprivadm add cmd='/sbin/init.d/hpws_apache -a start' \
op=hpux.network.service.start object=apache compartment=apache
The preceding cmdprivadm command creates an entry in the /etc/rbac/cmd_priv file, as
follows:
#---------------------------------------------------------------------------------------------------------------
# Command : Args :Authorizations :U/GID :Cmpt :Privs :Auth :Flags
#-------------------------:--------:------------------------------------:--------------:--------:-------:-------
/sbin/init.d/hpws_apache :start :(hpux.network.service.start,apache) :/// :apache :dflt :dflt :
After you create the entry using cmdprivadm and using privrun to wrap the command,
authorized users can execute the /sbin/init.d/hpws_apache -start command, and it
will run only in the apache compartment. The compartment tag for the process is changed to
apache, and properties of the process will follow the defined apache compartment rules.
NOTE: Use only the cmdprivadm command to configure compartments for commands—do
not edit the /etc/rbac/cmd_priv database file without using cmdprivadm.
To modify an existing entry in the /etc/rbac/cmd_priv file, you must first delete the entry
and then add the updated version back in. When you use cmdprivadm to delete entries,
arguments act as filters. For example, specifying the cmdprivadm delete op=foo command
removes all entries in which the operation is foo. As a result of this, when you use cmdprivadm
to delete entries, be careful to ensure that you specify sufficient arguments to uniquely identify
the entries to be removed.
Configuring HP-UX RBAC to Generate Audit Trails
On traditional root-based systems, where multiple administrators on the same system share the
same root password, individual accountability is virtually impossible to achieve. Consequently,
proper analysis of a security-significant event is difficult—sometimes impossible. However,
recently introduced legislation—including the Health Insurance Portability and Accountability
Act (HIPAA) and Sarbanes-Oxley—has helped to highlight the importance of understanding
who did what and when. Because HP-UX RBAC provides the ability for commands to run with
elevated privileges, it is important that you configure HP-UX RBAC to generate the appropriate
audit trails.
The privrun, privedit, roleadm, authadm, and cmdprivadm HP-UX RBAC commands
each generate audit records. The following attributes are included in each audit record:
User name
UID
Role
Authorizations (operation, object)
Time of event
Result of event (success or failure)
44 HP-UX Role-Based Access Control