Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions

151

152

153

154

155

156

157

158

159

160

# grep hpux.user. /etc/rbac/cmd_priv

/usr/sbin/pwgrd:dflt:(hpux.user.cache.admin,*):0/0// :dflt :dflt :dflt :

/usr/sbin/userdel:dflt:(hpux.user.delete,*):0/0// :dflt :dflt :dflt :

/usr/sbin/groupdel:dflt:(hpux.user.group.delete,*):0/0// :dflt :dflt :dflt :

/usr/sbin/useradd:dfl:(hpux.user.add,*):0/0//:dflt:dflt:dflt:

/usr/sbin/usermod:dflt:(hpux.user.modify,*):0/0// :dflt :dflt :dflt :

/usr/sbin/groupadd:dflt:(hpux.user.group.add,*):0/0// :dflt :dflt :dflt :

/usr/sbin/groupmod:dflt:(hpux.user.group.modify,*):0/0// :dflt :dflt :dflt :

/usr/sbin/vipw:dflt:(hpux.user.modify,*):0/0// :dflt :dflt :dflt :

8.4.3 Planning Command Mappings

Define any commands that are commonly used by any of the defined roles but do not

exist in the predefined /etc/rbac/cmd_priv file that is provided. The

/etc/rbac/cmd_priv file defines the mapping between authorizations and commands.

Determine the following for each command:

• The full path of the command

• The necessary authorization to check before running the command

• Any special privileges needed by the command, for example, euid=0

The strings of text that constitute the operation and object entries in the

/etc/rbac/cmd_priv file are arbitrary, but they should correspond logically to a

command or set of commands. Consider the following guidelines when planning the

authorization to command mappings in /etc/rbac/cmd_priv:

• Define operations into logical groups to easily assign the operations to roles.

• Do not create operation branches with too many (more than 10) or too few (1) child

elements. The overall tree should not be overly wide, making it difficult to assign

groups of operations, or overly tall, with individual operation names that are long

and hard to use.

• End the last element of an operation name with an action (verb).

• Define operations so that new commands can be clearly placed when added.

See “Configuring Additional Command Authorizations and Privileges” for the procedure

to configure additional commands.

8.4.4 HP-UX RBAC Limitations and Restrictions

Following is a list of items to consider before deploying HP-UX RBAC:

• HP-UX RBAC does not support single user mode, therefore the root account should

be available during situations when single user mode is needed.

• Serviceguard does not support the use of HP-UX RBAC and privrun to grant access

to Serviceguard commands. See Section 8.6.1.1 for more information about HP-UX

RBAC and Serviceguard clusters.

• As with all applications, HP-UX RBAC is subject to the rules that govern compartments

(see Chapter 6). Remember the following when using HP-UX RBAC with

Compartments:

8.4 Planning the HP-UX RBAC Deployment 153