HP UX 11i Role-based Access Control (RBAC) Software Procedure for Auditing HP-UX Rbac Criteria

Page 45

NOTE: Refer to “Auditing” for more information about auditing.

Auditing Based on HP-UX RBAC Criteria and the /etc/aud_filter File

NOTE: HP-UX RBAC Version B.11.23.01 does not support auditing based on the HP-UX RBAC criteria and the /etc/rbac/aud_filter file.

HP-UX RBAC Version B.11.23.02 and later support the use of an audit filter file to identify specific HP-UX RBAC criteria to audit. You can create a filter file named /etc/rbac/aud_filter to identify specific roles, operations, and objects to generate audit records for. Audit records are generated only if the attributes of a process match all three entries (role, operation, and object) found in /etc/rbac/aud_filter. If a user's role and associated authorization are not found in the file or do not explicitly match, then no audit records specific to role-to-authorization are generated.

Authorized users can edit /etc/rbac/aud_filter using an editor like vi and specify the role and authorization to be audited. Each authorization is specified in the form of operation, object pairs. All authorizations associated with a role must be specified in a single entry. Only one authorization can be specified per role on each line—however, the * wildcard is supported. The following are the supported entries and format for the /etc/rbac/aud_filter file:

role, operation, object

The following list explains each of the /etc/rbac/aud_filter entries:

role

Any valid role defined in /etc/rbac/roles. If * is specified, all roles can be

 

accessed by the operation.

operation

A specific operation that can be performed on an object. For example,

 

hpux.printer.add is the operation of adding a printer. Alternatively,

 

hpux.printer.* is the operation of either adding or deleting a printer. If * is

 

specified, all operations can be accessed by the operation.

object

The object the user can access. If * is specified, all objects can be accessed by the

 

operation.

The following are example /etc/rbac/aud_filter entries that specify how to generate audit records for the role of SecurityOfficer with the authorization of (hpux.passwd, /etc/passwd), and for the Administrator role with authorization to perform the hpux.printer.add operation on all objects.

SecurityOfficer, hpux.passwd, /etc/passwd

Administrator, hpux.printer.add, *

NOTE: Use an editor such as vi to directly edit the /etc/rbac/aud_filter file. The HP-UX RBAC administrative commands do not interface with /etc/rbac/aud_filter.

Procedure for Auditing HP-UX RBAC Criteria

The following steps describe how to configure an audit process to audit HP-UX RBAC criteria on your system:

1.Configure the system to audit Passed or Failed events for the Administrator events by using the following command:

# audevent -PFe administrator

2.Configure the location and name of the audit output file and enable auditing on the system by using the following command:

Configuring HP-UX RBAC 45

Page 44 Page 46
Image 45
Page 44 Page 46
Contents HP-UX 11i Security Containment Administrators Guide Copyright 2007 Hewlett-Packard Development Company, L.P Table of Contents Fine-Grained Privileges Index Page List of Figures Page List of Tables Page List of Examples Page Intended Audience About This DocumentNew and Changed Information in This Edition Publishing HistoryTypographic Conventions HP-UX Release Name and Release IdentifierUserInput Related Information HP Encourages Your CommentsHP-UX 11i Releases Page HP-UX 11i Security Containment Introduction AuthorizationConceptual Overview Account Policy ManagementDefined Terms Features and BenefitsIsolation AuditingFeatures Benefits Installation Installing HP-UX 11i Security ContainmentPrerequisites and System Requirements # swlist -d @ /tmp/securitycontainmentbundle.depot Verifying the HP-UX 11i Security Containment Installation# swverify SecurityExt # swlist -a state -l fileset SecurityExtVerifying the HP-UX Role-Based Access Control Installation Installing HP-UX Role-Based Access ControlInstalling HP-UX Standard Mode Security Extensions # swverify RbacUninstalling HP-UX Rbac Uninstalling HP-UX 11i Security Containment# swverify TrustedMigration # swlist -a state -l fileset TrustedMigrationUninstalling HP-UX Standard Mode Security Extensions # swremove Rbac# swremove TrustedMigration Page HP-UX Role-Based Access Control HP-UX Rbac Versus Other Rbac SolutionsOverview Access Control Basics Simplifying Access Control with RolesExample of Authorizations Per User HP-UX Rbac Components Example of Authorizations Per RoleHP-UX Rbac Configuration Files HP-UX Rbac Access Control Policy SwitchHP-UX Rbac Commands HP-UX Rbac Configuration FilesHP-UX Rbac Manpages HP-UX Rbac CommandsHP-UX Rbac Architecture HP-UX Rbac ManpagesHP-UX Rbac Architecture HP-UX Rbac Example Usage and OperationPlanning Authorizations for the Roles Planning the HP-UX Rbac DeploymentPlanning the Roles HP-UX Rbac Limitations and Restrictions Planning Command MappingsConfiguring HP-UX Rbac Configuring Roles Creating RolesExample Planning Results Configuring Authorizations Assigning Roles to UsersAssigning Roles to Groups Configuring Additional Command Authorizations and Privileges Is mainly intended for scripts Hierarchical Roles Example Roles Configuration in HP-UX Rbac B.11.23.02Overview Examples of Hierarchical RolesExample 3-1 The authadm Command Syntax Changes to the authadm Command for Hierarchical RolesExample 3-2 Example of the authadm Command Usage Hierarchical Roles ConsiderationsConfiguring HP-UX Rbac with Fine-Grained Privileges Configuring HP-UX Rbac with Compartments CommandMatches the following /etc/rbac/cmdpriv entries GID Configuring HP-UX Rbac to Generate Audit TrailsProcedure for Auditing HP-UX Rbac Criteria Following is the privrun command syntax Using HP-UX Rbac# privrun ipfstat HP-UX Rbac in Serviceguard Clusters Customizing privrun and privedit Using the Acps Troubleshooting HP-UX Rbac Rbacdbchk Database Syntax ToolPrivrun -v Information Fine-Grained Privileges Commands CommandsFine-Grained Privileges Fine-Grained Privileges ComponentsManpages Available PrivilegesFine-Grained Privileges Manpages Available PrivilegesOr launch policy Configuring Applications with Fine-Grained PrivilegesPrivilege Model Compound Privileges# setfilexsec options filename Troubleshooting Fine-Grained Privileges Fine-Grained Privileges in HP Serviceguard ClustersSecurity Implications of Fine-Grained Privileges Privilege Escalation# getprocxsec options pid Compartment Architecture CompartmentsCompartment Architecture Planning the Compartment Structure Default Compartment ConfigurationActivating Compartments Modifying Compartment Configuration# setrules -p # cmpttune -eCompartment Components Compartment Configuration FilesChanging Compartment Rules Changing Compartment NamesCompartment Configuration Files Compartment CommandsCompartment Commands Compartment ManpagesCompartment Rules and Syntax Compartment DefinitionFile System Rules Permissionlist IPC RulesIPC mechanism in the current compartment Network RulesAccess Interface Miscellaneous RulesConfiguring Applications in Compartments Troubleshooting CompartmentsExample Rules File # vhardlinks Configured rules are loaded into the kernelDo not configure standby LAN interfaces in a compartment Compartments in HP Serviceguard ClustersStandard Mode Security Extensions Configuration Files Configuring Systemwide AttributesSecurity Attributes and the User Database System Security AttributesCommands AttributesManpages Troubleshooting the User Database Configuring Attributes in the User DatabaseAuditing Auditing ComponentsAuditing Your System Audit CommandsPlanning Your Auditing Implementation Enabling AuditingAUDEVENTARGS1 = -P -F -e admin -e login -e moddac # audevent -P -F -e admin -e login -e moddacMonitoring Audit Files #audsys -n -c primaryauditfile -sAuditing Users Guidelines for Administering Your Auditing SystemPerformance Considerations #audsys -fAuditing Events Audevent command optionsStreamlining Audit Log Data # /usr/sbin/userdbset -u user-nameAUDITFLAG=1Self-auditing processes Audit Log FilesConfiguring Audit Log Files Viewing Audit Logs#/usr/sbin/audisp auditfile Examples of Using the audisp Command Page Index SymbolsSecurity attribute defining
Related manuals
Manual 10 pages 36.76 Kb
Top Page Image Contents