White Paper
17
NTHREADS – The number of log files that compose an audit trail. The recommended value is the
number of processors on a system divided by two.
• Audevent settings – Arguments to the audevent command
– AUDEVENT_ARGS1 describes those events that are audited for both success and failure.
– AUDEVENT_ARGS2 describes those events that are success only.
– AUDEVENT_ARGS3 describes those events that are failure only.
– AUDEVENT_ARGS4 describes those events that are audited for neither success nor failure.
• Audomon settings
AUDOMON_ARGS describes arguments to the audomon daemon.
Configuring roles
You can base auditing on HP-UX Role-Based Access Control (RBAC) criteria and the
/etc/rbac/aud_filter file. HP-UX RBAC Version B.11.23.02 and later support the use of an
audit filter file to identify specific HP-UX RBAC criteria to audit. You can create a filter file named
/etc/rbac/aud_filter to identify specific roles, operations, and objects for which to generate
audit records. Audit records are generated only if the attributes of a process match all three entries
(role, operation, and object) found in /etc/rbac/aud_filter. If a user's role and associated
authorization are not found in the file or do not explicitly match, no audit records specific to role-to-
authorization are generated.
Authorized users can edit the /etc/rbac/aud_filter file using a text editor and specify the role
and authorization to be audited. Each authorization is specified in the form of operation, object pairs.
All authorizations associated with a role must be specified in a single entry. You can specify only one
authorization per role on each line; however, the wildcard character (*) is supported. The following
are the supported entries and format for the /etc/rbac/aud_filter file:
role, operation, object
• role – Any valid role defined in /etc/rbac/roles. If * is specified, all roles can be accessed
by the operation.
• operation – A specific operation that can be performed on an object. For example,
hpux.printer.add is the operation of adding a printer. Alternatively, hpux.printer.* is the
operation of either adding or deleting a printer. If * is specified, all operations can be accessed by
the operation.
• object – The object the user can access. If * is specified, all objects can be accessed by the
operation.
The following are examples of /etc/rbac/aud_filter entries that specify how to generate audit
records for the role of SecurityOfficer with the authorization of (hpux.passwd,
/etc/passwd), and for the Administrator role with authorization to perform the
hpux.printer.add operation on all objects:
SecurityOfficer, hpux.passwd, /etc/passwd
Administrator, hpux.printer.add, *
Note
When HP-UX SMSE B.11.23.02 is used in conjunction with HP-UX RBAC
(version B.11.23.04 or later) on HP-UX 11i v2, you can restrict the use of
the userdbset command based on user authorizations.