HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software

# audsys -n -c /tmp/aud.out -s 2048

3. Execute an HP-UX RBAC command, for example:

# /usr/sbin/authadm add newauth

4. Open the audit output file and search for the records on the authadm command by using

the following command:

# audisp /tmp/aud.out |fgrep authadm

5. (Optional) Disable auditing on the system by using the following command:

# audsys -f

NOTE: See audit(5), audevent(1m), audsys(1m), and audisp(1m) to learn more about auditing

HP-UX systems.

Using HP-UX RBAC

This section explains how to run the privrun and privedit commands to operate HP-UX

RBAC.

Using the privrun Command to Run Applications with Privileges

The privrun command enables a user to run legacy applications with different privileges,

according to the authorizations associated with the invoking user. The user invokes privrun,

specifying the legacy application as command line arguments. Next, privrun consults the

/etc/rbac/cmd_priv database to determine what authorization is required to run the command

with additional privileges. If the user has the necessary authorization, privrun invokes the

specified command after changing its UID and or GID as specified in the /etc/rbac/cmd_priv

database.

The following is the privrun command syntax:

privrun [options] command [args]

| [-u eUID|username]

| [-g eGID|groupname]

| [-U rUID|username]

| [-G rGID|groupname]

| [-a (operation, object)]

| [-c compartment]

| [-p privilege[,privilege,privilege...]]

| [-x]

| [-v [-v]]

| [-h]

| [-t]

The following list explains each of the privrun command options:

-u

Matches only those entries containing the effective user ID (EUID) corresponding to the

specified EUID or the EUID associated with the username.

-g

Matches only those entries containing the effective group ID (EGID) corresponding to the

specified EGID or the EGID associated with the group name.

-U

Matches only those entries containing the real user ID (RUID) corresponding to the specified

RUID or the RUID associated with the username.

-G

Matches only those entries containing the real group ID (RGID) corresponding to the

specified RGID or the RGID associated with the group name.

46 HP-UX Role-Based Access Control