The following is an example cmdprivadm command that configures the /sbin/init.d/hpws_apache command to run only in the apache compartment, which is defined by the /etc/cmpt/apache.rules compartment rule:

#cmdprivadm add cmd='/sbin/init.d/hpws_apache -a start' \ op=hpux.network.service.start object=apache compartment=apache

The preceding cmdprivadm command creates an entry in the /etc/rbac/cmd_priv file, as follows:

#---------------------------------------------------------------------------------------------------------------

 

 

 

 

 

 

# Command

: Args

:Authorizations

:U/GID

:Cmpt

:Privs

:Auth

:Flags

#-------------------------

:--------

:------------------------------------

:--------------

:

--------

:-------

:-------

/sbin/init.d/hpws_apache

:start

:(hpux.network.service.start,apache)

:///

:apache

:dflt

:dflt

:

After you create the entry using cmdprivadm and using privrun to wrap the command, authorized users can execute the /sbin/init.d/hpws_apache -startcommand, and it will run only in the apache compartment. The compartment tag for the process is changed to apache, and properties of the process will follow the defined apache compartment rules.

NOTE: Use only the cmdprivadm command to configure compartments for commands—do not edit the /etc/rbac/cmd_priv database file without using cmdprivadm.

To modify an existing entry in the /etc/rbac/cmd_priv file, you must first delete the entry and then add the updated version back in. When you use cmdprivadm to delete entries, arguments act as filters. For example, specifying the cmdprivadm delete op=foo command removes all entries in which the operation is foo. As a result of this, when you use cmdprivadm to delete entries, be careful to ensure that you specify sufficient arguments to uniquely identify the entries to be removed.

Configuring HP-UX RBAC to Generate Audit Trails

On traditional root-based systems, where multiple administrators on the same system share the same root password, individual accountability is virtually impossible to achieve. Consequently, proper analysis of a security-significant event is difficult—sometimes impossible. However, recently introduced legislation—including the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley—has helped to highlight the importance of understanding who did what and when. Because HP-UX RBAC provides the ability for commands to run with elevated privileges, it is important that you configure HP-UX RBAC to generate the appropriate audit trails.

The privrun, privedit, roleadm, authadm, and cmdprivadm HP-UX RBAC commands each generate audit records. The following attributes are included in each audit record:

User name

UID

Role

Authorizations (operation, object)

Time of event

Result of event (success or failure)

44 HP-UX Role-Based Access Control

Page 44
Image 44
HP UX 11i Role-based Access Control (RBAC) Software manual Configuring HP-UX Rbac to Generate Audit Trails, Gid