HP-UX Reference (11i v2 07/12) - 5 Miscellaneous (vol 9)
r
rbac(5) rbac(5)
You can provide an audit filter database file (
/etc/rbac/aud_filter
) which allows a user to specify
the role and the authorization (operation, object) to be audited. Role-to-authorization audit records will be
generated only if the caller’s role and authorization matches one of the entries in the
/etc/rbac/aud_filter
database. If the audit filter database file does not exist, or is not accessible,
then the audit records will still be generated. However, if the audit filter database file exists, but is empty,
then no audit records will be generated.
The following is an example of how to generate and display the audit records for
roleadm:
# audevent -Pfe admin
# audsys -f
# audsys -n -c /tmp/aud.out -s 2048
# roleadm add new_role_1"
# audsys -f
# audisp /tmp/aud.out
Refer to audit(5), audevent(1M), audsys(1M), and audisp(1M) to learn more about generating and display-
ing audit records.
FILES
/etc/rbac/auths Database containing definitions of all valid authorizations.
/etc/rbac/cmd_priv
Database containing the authorization to execute specified commands or edit
specific files, and the privileges to alter UID and GID for command execu-
tion.
/etc/rbac/roles Database containing all valid definitions of all roles.
/etc/rbac/role_auth
Database defining the authorizations and/or subroles for each role.
/etc/rbac/user_role
Database specifying the roles for each specified user or UNIX group.
/etc/rbac/aud_filter
Database containing a list of roles and associated authorizations to be
audited.
SEE ALSO
authadm(1M), cmdprivadm(1M), privrun(1M), privedit(1M), rbacdbchk(1M), roleadm(1M), privileges(5),
compartments(5).
HP-UX 11i Version 2: December 2007 Update − 6 − Hewlett-Packard Company 349