Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
41424344454647484950
NOTE: Refer to Auditing” for more information about auditing.
Auditing Based on HP-UX RBAC Criteria and the /etc/aud_filter File
NOTE: HP-UX RBAC Version B.11.23.01 does not support auditing based on the HP-UX RBAC
criteria and the /etc/rbac/aud_filter file.
HP-UX RBAC Version B.11.23.02 and later support the use of an audit filter file to identify specific
HP-UX RBAC criteria to audit. You can create a filter file named /etc/rbac/aud_filter to
identify specific roles, operations, and objects to generate audit records for. Audit records are
generated only if the attributes of a process match all three entries (role, operation, and object)
found in /etc/rbac/aud_filter. If a user's role and associated authorization are not found
in the file or do not explicitly match, then no audit records specific to role-to-authorization are
generated.
Authorized users can edit /etc/rbac/aud_filter using an editor like vi and specify the role
and authorization to be audited. Each authorization is specified in the form of operation, object
pairs. All authorizations associated with a role must be specified in a single entry. Only one
authorization can be specified per role on each line—however, the * wildcard is supported. The
following are the supported entries and format for the /etc/rbac/aud_filter file:
role, operation, object
The following list explains each of the /etc/rbac/aud_filter entries:
role Any valid role defined in /etc/rbac/roles. If * is specified, all roles can be
accessed by the operation.
operation
A specific operation that can be performed on an object. For example,
hpux.printer.add is the operation of adding a printer. Alternatively,
hpux.printer.* is the operation of either adding or deleting a printer. If * is
specified, all operations can be accessed by the operation.
object The object the user can access. If * is specified, all objects can be accessed by the
operation.
The following are example /etc/rbac/aud_filter entries that specify how to generate audit
records for the role of SecurityOfficer with the authorization of (hpux.passwd, /etc/passwd),
and for the Administrator role with authorization to perform the hpux.printer.add operation
on all objects.
SecurityOfficer, hpux.passwd, /etc/passwd
Administrator, hpux.printer.add, *
NOTE: Use an editor such as vi to directly edit the /etc/rbac/aud_filter file. The HP-UX
RBAC administrative commands do not interface with /etc/rbac/aud_filter.
Procedure for Auditing HP-UX RBAC Criteria
The following steps describe how to configure an audit process to audit HP-UX RBAC criteria
on your system:
1. Configure the system to audit Passed or Failed events for the Administrator events by using
the following command:
# audevent -PFe administrator
2. Configure the location and name of the audit output file and enable auditing on the system
by using the following command:
Configuring HP-UX RBAC 45