Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
161162163164165166167168169170
which modules are consulted for making access decisions
the sequence in which the modules are consulted
the rules for combining module responses to return results to applications
See Section 8.3.1, and acps.conf(4), acps(3), and rbac(5) for more information about
the ACPS.
8.6.4 Generating Keystroke and Command Logs
An authorized user can generate "keystroke logs" for selected users, as well as generate
a log of commands invoked through RBAC without the need for the HP-UX audit system.
This section describes these features:
Keystroke logging
Alternate logging
8.6.4.1 Keystroke Logging
In many situations, it is sufficient to simply log the set of privilege commands invoked by
a user. RBAC has supported this functionality since its initial release with the HP-UX audit
system. There are some situations, however, where this coarse level of logging is
insufficient. For example, there are some legislative compliance regulations that require
that all actions performed by an administrator are logged, not just the privileged actions.
There are situations where it is desirable to only log in the event that certain files or
objects are accessed. And there are situations where selected users are granted
"unconstrained root privileges", such as a root shell under the caveat that all of their
actions are logged. These uses are granted maximum administrative flexibility.
Keystroke logging enhances the logging capability. RBAC provides a PAM module that
you can configure to log a user's entire terminal session, or relevant parts of a session
based on keyword "triggers". You can customize this keystroke logging policy to capture
session logs for particular users, roles, and groups. In order to enable this functionality,
an administrator must perform the following steps after installing the RBAC product depot:
1. Create an entry (or entries) in the PAM configuration file (/etc/pam.conf) including
the keystroke library as a session module:
login session optional libpam_keystroke.so.1
dtlogin session optional libpam_keystroke.so.1
sshd session optional libpam_keystroke.so.1
rcomds session optional libpam_keystroke.so.1
OTHER session optional libpam_keystroke.so.1
Note that this module may be configured for one or more services, depending on
the intended effect of the logging. For more information on pam.conf and the
syntax of the entries, see pam.conf(4).
2. Enable keystroke logging in /etc/rbac/rbac.conf:
8.6 Using HP-UX RBAC 167