Manualshelf

HP-UX Containers (SRP) A.03.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
111112113114115116117118119120
112
One method to reduce the number of unrelated audit entries is to disable auditing for all
users, then enable auditing for the user ID used to execute the application. Next, configure
auditing for failed attempts for common file and IPC operations.
For example:
audevent -F -e open -e create -e delete -e ipccreat -e ipcopen \
-e ipcclose -s kill
18.3.2 Verifying RBAC data
Use the following procedures to verify RBAC configuration data:
Use the authadm command to verify the authorization information configured for the
container:
authadm list object=container_name
For the admin service, you will see the following entry:
SRPadmin-container_name: (hpux.SRPadmin.container_name,container_name)
For the login service, you will see the following entry:
SRPlogin-container_name: (hpux.security.compartment.login, container_name)
Alternatively, you can enter the following commands to view the authorization information:
authadm list operation=hpux.SRPadmin.container_name
authadm list operation=hpux.security.compartment.login \
object=container_name
To verify the users and user groups assigned to the roles used by the container, enter the
following commands:
roleadm list role=SRPadmin-container_name
roleadm list role=SRPlogin-container_name
To verify command privileges, view the /etc/rbac/cmd_priv file. If you configured the
init service for a container, you will see an entry authorizing execution of the srp_rc
script for an authorization granted to the container administrator as follows:
/opt/hpsrp/bin/util/srp_rc:dflt:(hpux.SRPadmin.container_name,*):0/0//:cont
ainer_name:dflt:dflt
You can also use the rbacdbchk utility to verify the contents of the RBAC database.
18.3.3 Verifying PRM data
Use the prmlist and prmmonitor commands to verify that the PRM configuration is loaded for the
group used by the container (the default PRM group name is the container name).
For example, the prmlist -g -s command displays configuration information for PRM groups (-
g) and the PRM group for each Security Containment compartment (-s):
# prmlist -g -s
PRM configured from file: /etc/prmconf
File last modified: Tue Oct 14 12:57:58 2008
CPU CPU LCPU
PRM Group PRMID Entitlement Max Attr
__________________________________________________________________
EntDir 2 29.17% 80%
MktDB 65536 12.50%
MktWeb 3 21.88% 45%
OTHERS 1 21.88%
SRP2 4 14.58% 25%