NOTE: Refer to “Auditing” for more information about auditing.
Auditing Based on
NOTE:
Authorized users can edit /etc/rbac/aud_filter using an editor like vi and specify the role and authorization to be audited. Each authorization is specified in the form of operation, object pairs. All authorizations associated with a role must be specified in a single entry. Only one authorization can be specified per role on each
role, operation, object
The following list explains each of the /etc/rbac/aud_filter entries:
role | Any valid role defined in /etc/rbac/roles. If * is specified, all roles can be |
| accessed by the operation. |
operation | A specific operation that can be performed on an object. For example, |
| hpux.printer.add is the operation of adding a printer. Alternatively, |
| hpux.printer.* is the operation of either adding or deleting a printer. If * is |
| specified, all operations can be accessed by the operation. |
object | The object the user can access. If * is specified, all objects can be accessed by the |
| operation. |
The following are example /etc/rbac/aud_filter entries that specify how to generate audit records for the role of SecurityOfficer with the authorization of (hpux.passwd, /etc/passwd), and for the Administrator role with authorization to perform the hpux.printer.add operation on all objects.
SecurityOfficer, hpux.passwd, /etc/passwd
Administrator, hpux.printer.add, *
NOTE: Use an editor such as vi to directly edit the /etc/rbac/aud_filter file. The
Procedure for Auditing HP-UX RBAC Criteria
The following steps describe how to configure an audit process to audit
1.Configure the system to audit Passed or Failed events for the Administrator events by using the following command:
# audevent
2.Configure the location and name of the audit output file and enable auditing on the system by using the following command:
Configuring
