HP UX Auditing System Extensions manual Configuring roles, Role, operation, object

Page 17

NTHREADS – The number of log files that compose an audit trail. The recommended value is the number of processors on a system divided by two.

Audevent settings – Arguments to the audevent command

AUDEVENT_ARGS1 describes those events that are audited for both success and failure.

AUDEVENT_ARGS2 describes those events that are success only.

AUDEVENT_ARGS3 describes those events that are failure only.

AUDEVENT_ARGS4 describes those events that are audited for neither success nor failure.

Audomon settings

AUDOMON_ARGS describes arguments to the audomon daemon.

Configuring roles

You can base auditing on HP-UX Role-Based Access Control (RBAC) criteria and the /etc/rbac/aud_filter file. HP-UX RBAC Version B.11.23.02 and later support the use of an audit filter file to identify specific HP-UX RBAC criteria to audit. You can create a filter file named /etc/rbac/aud_filter to identify specific roles, operations, and objects for which to generate audit records. Audit records are generated only if the attributes of a process match all three entries (role, operation, and object) found in /etc/rbac/aud_filter. If a user's role and associated authorization are not found in the file or do not explicitly match, no audit records specific to role-to- authorization are generated.

Authorized users can edit the /etc/rbac/aud_filter file using a text editor and specify the role and authorization to be audited. Each authorization is specified in the form of operation, object pairs. All authorizations associated with a role must be specified in a single entry. You can specify only one authorization per role on each line; however, the wildcard character (*) is supported. The following are the supported entries and format for the /etc/rbac/aud_filter file:

role, operation, object

role – Any valid role defined in /etc/rbac/roles. If * is specified, all roles can be accessed by the operation.

operation A specific operation that can be performed on an object. For example, hpux.printer.add is the operation of adding a printer. Alternatively, hpux.printer.* is the operation of either adding or deleting a printer. If * is specified, all operations can be accessed by the operation.

object The object the user can access. If * is specified, all objects can be accessed by the operation.

The following are examples of /etc/rbac/aud_filter entries that specify how to generate audit records for the role of SecurityOfficer with the authorization of (hpux.passwd, /etc/passwd), and for the Administrator role with authorization to perform the hpux.printer.add operation on all objects:

SecurityOfficer, hpux.passwd, /etc/passwd

Administrator, hpux.printer.add, *

Note

When HP-UX SMSE B.11.23.02 is used in conjunction with HP-UX RBAC (version B.11.23.04 or later) on HP-UX 11i v2, you can restrict the use of the userdbset command based on user authorizations.

17

Image 17
Contents HP-UX 11i v2 and 11i v3 Security Configuring and Managing the Auditing SystemIntroduction AudienceArchitecture CommandsAuditing system overview Files System callsDaemons Audit events Audit tagsAudit trail System call table records Version recordsPID identification records System call audit recordsSelf-auditing programs Audit tunable parameters HP-UX 11i v3 onlyAudit aware Page Newgrp1 modaccess Setfilexsec1M modaccess Could not lock file Networking service = ftp Executing login pid = pid. ipcopenAudit unaware Remote user Usernameunspecified Local SystemAudit Filtering Auditing system extensions HP-UX 11i v3 onlyDynamically Linked Kernel Modules Audit Reporting HP-UX Auditing System AdministrationInstallation Userdbset command. See userdbset1M and userdb4 ConfigurationConfiguring users for audit Configuring audit settings to be preserved across reboots Configuring events for auditConfiguring audit filtering Role, operation, object Configuring rolesManagement Reads the /etc/rc.config.d/auditing fileEnabling auditing Disabling auditingService Provider Interfaces SPIs Writing a Dpms service moduleDpms service module implementation Best practicesAudit generation and capture Audit policyAudit log analysis Audit retention and storageOpt/audit/AudReport/bin TroubleshootingAudit log configuration, security, and protection Page Audwrite2 GlossaryPage Send comments to HP For more information