HP-UX Role-Based Access Control B.11.31.05 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software

2 New in HP-UX RBAC B.11.31.05

With HP-UX RBAC B.11.31.05, an authorized user can now generate "keystroke logs" for selected

users, as well as generate a log of commands invoked through RBAC without the need for the

HP-UX audit system. This section describes these new features:

• Keystroke logging

• Alternate logging

Keystroke Logging

In many situations, it is sufficient to simply log the set of privilege commands invoked by a user.

RBAC has supported this functionality since its initial release with the HP-UX audit system.

There are some situations, however, where this coarse level of logging is insufficient. For example,

there are some legislative compliance regulations that require that all actions performed by an

administrator are logged, not just the privileged actions. There are situations where it is desirable

to only log in the event that certain files or objects are accessed. And there are situations where

selected users are granted "unconstrained root privileges", such as a root shell under the caveat

that all of their actions are logged. These uses are granted maximum administrative flexibility.

HP-UX RBAC B.11.31.05 enhances the logging capability with keystroke logging. It provides a

PAM module that you can configure to log a user's entire terminal session, or relevant parts of

a session based on keyword "triggers". You can customize this keystroke logging policy to capture

session logs for particular users, roles, and groups. In order to enable this functionality, an

administrator must perform the following steps after installing the RBAC product depot:

1. Create an entry (or entries) in the PAM configuration file (/etc/pam.conf) including the

keystroke library as a session module:

dtlogin session optional libpam_keystroke.so.1

sshd session optional libpam_keystroke.so.1

rcomds session optional libpam_keystroke.so.1

OTHER session optional libpam_keystroke.so.1

Note that this module may be configured for one or more services, depending on the intended

effect of the logging. For more information on pam.conf and the syntax of the entries, see

pam.conf(4).

2. Enable keystroke logging in /etc/rbac/rbac.conf:

KEY_STROKE_LOGGING = 1

3. Create a keyfilter file under /etc/rbac specifying what users to log. For more information

on customizing specific policies, see key_filter(4m).

Once these steps are completed, subsequent access by the targeted users will cause a keystroke

log file to be generated and stored in the location specified in /etc/rbac/rbac.conf file. Note

that in the event that a user has privileged access to this location (for example, they are granted

a root shell), they may be able to modify these files. In this situation, HP recommends that

modification of the files be monitored (for example, by HP-UX Host IDS) or that they periodically

be transferred off-host.

Alternate Logging

In addition to the keystroke logging enhancements, HP-UX RBAC B.11.31.05 provides support

for the logging of access control events and RBAC-invoked commands. This functionality builds

on the support provided in previous versions of RBAC, with the primary difference being that

it is no longer necessary to enable HP-UX auditing to generate RBAC logs. With this release, an

administrator may enable RBAC logging and specify the location of the alternate logging files

simply by editing the /etc/rbac/rbac.conf file. For more information on the specific

keyword/value pairs, see rbac_conf(4m).

Keystroke Logging 9