HP UX 11i Role-based Access Control (RBAC) Software Configured rules are loaded into the kernel

Page 69

3.Compare the output of step 1 to the output of step 2. If they are the same, all rules are loaded into the kernel.

If the output of step 1 is different from the output of step 2, go on to step 4.

4.Execute the following command:

#setrules

The configured rules are loaded into the kernel.

Problem 2: A network interface on my compartment-enabled system is not accessible. Solution: All network interfaces must be configured in a compartment. To check whether your network interface is configured in a compartment, follow these steps:

1.Execute the following command:

# getrules

The getrules command displays the valid compartment rules in the kernel. Check the output for rules configuring the network interface.

If there are rules configuring the network interface in a compartment, go on to step 2 to check the rules syntax for errors.

If there are no rules for the network interface, go on to step 2.

2.Execute the following command:

# setrules -p

The setrules command with the -poption displays all rules configured on the system, including rules that have not been loaded into the kernel.

If no rules are configured on the system, configure appropriate network interface rules. Refer to “Network Rules” for network rules syntax.

The setrules -pcommand also checks for syntax errors. If there is a syntax error in your network interface rules, modify your rules as described in “Modifying Compartment Configuration”.

3.Compare the output of step 1 to the output of step 2. If they are the same, all rules are loaded into the kernel.

If the output of step 2 displays rules for the network interface that were not present in the output of step 1, go on to step 4.

4.Execute the following command:

#setrules

The configured rules are loaded into the kernel.

Problem 3: Access to a file is not functioning properly. Solution: If multiple hard links point to

this file, the compartment rules configuration may contain inconsistent rules for accessing the file. To check for inconsistencies, follow these steps:

1.Execute the following command:

#vhardlinks

If the output shows an inconsistency, go on to step 2.

2.Modify the rules to remove the inconsistency. Follow the procedure described in “Modifying Compartment Configuration”.

Problem 4: Network server rules do not appear in getrules output. Solution: Because of the way rules are managed internally, network server rules for a given compartment can be listed in the target compartment output of the getrules command.

For example:

/* telnet compartment rule to allow incoming telnet requests through compartment labeled ifacelan0 */

Troubleshooting Compartments 69

Page 68 Page 70
Image 69
Page 68 Page 70
Contents HP-UX 11i Security Containment Administrators Guide Copyright 2007 Hewlett-Packard Development Company, L.P Table of Contents Fine-Grained Privileges Index Page List of Figures Page List of Tables Page List of Examples Page Intended Audience About This DocumentNew and Changed Information in This Edition Publishing HistoryTypographic Conventions HP-UX Release Name and Release IdentifierUserInput Related Information HP Encourages Your CommentsHP-UX 11i Releases Page HP-UX 11i Security Containment Introduction AuthorizationConceptual Overview Account Policy ManagementDefined Terms Features and BenefitsIsolation AuditingFeatures Benefits Installation Installing HP-UX 11i Security ContainmentPrerequisites and System Requirements # swlist -d @ /tmp/securitycontainmentbundle.depot Verifying the HP-UX 11i Security Containment Installation# swverify SecurityExt # swlist -a state -l fileset SecurityExtVerifying the HP-UX Role-Based Access Control Installation Installing HP-UX Role-Based Access ControlInstalling HP-UX Standard Mode Security Extensions # swverify RbacUninstalling HP-UX Rbac Uninstalling HP-UX 11i Security Containment# swverify TrustedMigration # swlist -a state -l fileset TrustedMigrationUninstalling HP-UX Standard Mode Security Extensions # swremove Rbac# swremove TrustedMigration Page HP-UX Role-Based Access Control HP-UX Rbac Versus Other Rbac SolutionsOverview Access Control Basics Simplifying Access Control with RolesExample of Authorizations Per User HP-UX Rbac Components Example of Authorizations Per RoleHP-UX Rbac Configuration Files HP-UX Rbac Access Control Policy SwitchHP-UX Rbac Commands HP-UX Rbac Configuration FilesHP-UX Rbac Manpages HP-UX Rbac CommandsHP-UX Rbac Architecture HP-UX Rbac ManpagesHP-UX Rbac Architecture HP-UX Rbac Example Usage and OperationPlanning Authorizations for the Roles Planning the HP-UX Rbac DeploymentPlanning the Roles HP-UX Rbac Limitations and Restrictions Planning Command MappingsConfiguring HP-UX Rbac Configuring Roles Creating RolesExample Planning Results Configuring Authorizations Assigning Roles to UsersAssigning Roles to Groups Configuring Additional Command Authorizations and Privileges Is mainly intended for scripts Hierarchical Roles Example Roles Configuration in HP-UX Rbac B.11.23.02Overview Examples of Hierarchical RolesExample 3-1 The authadm Command Syntax Changes to the authadm Command for Hierarchical RolesExample 3-2 Example of the authadm Command Usage Hierarchical Roles ConsiderationsConfiguring HP-UX Rbac with Fine-Grained Privileges Configuring HP-UX Rbac with Compartments CommandMatches the following /etc/rbac/cmdpriv entries GID Configuring HP-UX Rbac to Generate Audit TrailsProcedure for Auditing HP-UX Rbac Criteria Following is the privrun command syntax Using HP-UX Rbac# privrun ipfstat HP-UX Rbac in Serviceguard Clusters Customizing privrun and privedit Using the Acps Troubleshooting HP-UX Rbac Rbacdbchk Database Syntax ToolPrivrun -v Information Fine-Grained Privileges Commands CommandsFine-Grained Privileges Fine-Grained Privileges ComponentsManpages Available PrivilegesFine-Grained Privileges Manpages Available PrivilegesOr launch policy Configuring Applications with Fine-Grained PrivilegesPrivilege Model Compound Privileges# setfilexsec options filename Troubleshooting Fine-Grained Privileges Fine-Grained Privileges in HP Serviceguard ClustersSecurity Implications of Fine-Grained Privileges Privilege Escalation# getprocxsec options pid Compartment Architecture CompartmentsCompartment Architecture Planning the Compartment Structure Default Compartment ConfigurationActivating Compartments Modifying Compartment Configuration# setrules -p # cmpttune -eCompartment Components Compartment Configuration FilesChanging Compartment Rules Changing Compartment NamesCompartment Configuration Files Compartment CommandsCompartment Commands Compartment ManpagesCompartment Rules and Syntax Compartment DefinitionFile System Rules Permissionlist IPC RulesIPC mechanism in the current compartment Network RulesAccess Interface Miscellaneous RulesConfiguring Applications in Compartments Troubleshooting CompartmentsExample Rules File # vhardlinks Configured rules are loaded into the kernelDo not configure standby LAN interfaces in a compartment Compartments in HP Serviceguard ClustersStandard Mode Security Extensions Configuration Files Configuring Systemwide AttributesSecurity Attributes and the User Database System Security AttributesCommands AttributesManpages Troubleshooting the User Database Configuring Attributes in the User DatabaseAuditing Auditing ComponentsAuditing Your System Audit CommandsPlanning Your Auditing Implementation Enabling AuditingAUDEVENTARGS1 = -P -F -e admin -e login -e moddac # audevent -P -F -e admin -e login -e moddacMonitoring Audit Files #audsys -n -c primaryauditfile -sAuditing Users Guidelines for Administering Your Auditing SystemPerformance Considerations #audsys -fAuditing Events Audevent command optionsStreamlining Audit Log Data # /usr/sbin/userdbset -u user-nameAUDITFLAG=1Self-auditing processes Audit Log FilesConfiguring Audit Log Files Viewing Audit Logs#/usr/sbin/audisp auditfile Examples of Using the audisp Command Page Index SymbolsSecurity attribute defining
Related manuals
Manual 10 pages 36.76 Kb
Top Page Image Contents