NTHREADS – The number of log files that compose an audit trail. The recommended value is the number of processors on a system divided by two.

Audevent settings – Arguments to the audevent command

AUDEVENT_ARGS1 describes those events that are audited for both success and failure.

AUDEVENT_ARGS2 describes those events that are success only.

AUDEVENT_ARGS3 describes those events that are failure only.

AUDEVENT_ARGS4 describes those events that are audited for neither success nor failure.

Audomon settings

AUDOMON_ARGS describes arguments to the audomon daemon.

Configuring roles

You can base auditing on HP-UX Role-Based Access Control (RBAC) criteria and the /etc/rbac/aud_filter file. HP-UX RBAC Version B.11.23.02 and later support the use of an audit filter file to identify specific HP-UX RBAC criteria to audit. You can create a filter file named /etc/rbac/aud_filter to identify specific roles, operations, and objects for which to generate audit records. Audit records are generated only if the attributes of a process match all three entries (role, operation, and object) found in /etc/rbac/aud_filter. If a user's role and associated authorization are not found in the file or do not explicitly match, no audit records specific to role-to- authorization are generated.

Authorized users can edit the /etc/rbac/aud_filter file using a text editor and specify the role and authorization to be audited. Each authorization is specified in the form of operation, object pairs. All authorizations associated with a role must be specified in a single entry. You can specify only one authorization per role on each line; however, the wildcard character (*) is supported. The following are the supported entries and format for the /etc/rbac/aud_filter file:

role, operation, object

role – Any valid role defined in /etc/rbac/roles. If * is specified, all roles can be accessed by the operation.

operation A specific operation that can be performed on an object. For example, hpux.printer.add is the operation of adding a printer. Alternatively, hpux.printer.* is the operation of either adding or deleting a printer. If * is specified, all operations can be accessed by the operation.

object The object the user can access. If * is specified, all objects can be accessed by the operation.

The following are examples of /etc/rbac/aud_filter entries that specify how to generate audit records for the role of SecurityOfficer with the authorization of (hpux.passwd, /etc/passwd), and for the Administrator role with authorization to perform the hpux.printer.add operation on all objects:

SecurityOfficer, hpux.passwd, /etc/passwd

Administrator, hpux.printer.add, *

Note

When HP-UX SMSE B.11.23.02 is used in conjunction with HP-UX RBAC (version B.11.23.04 or later) on HP-UX 11i v2, you can restrict the use of the userdbset command based on user authorizations.

17

Page 17
Image 17
HP UX Auditing System Extensions manual Configuring roles, Role, operation, object