Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions

161

162

163

164

165

166

167

168

169

170

KEY_STROKE_LOGGING = 1

3. Create a keyfilter file under /etc/rbac specifying what users to log. For more

information on customizing specific policies, see key_filter(4m).

Once these steps are completed, subsequent access by the targeted users will cause a

keystroke log file to be generated and stored in the location specified in

/etc/rbac/rbac.conf file. Note that in the event that a user has privileged access

to this location (for example, they are granted a root shell), they may be able to modify

these files. In this situation, HP recommends that modification of the files be monitored

(for example, by HP-UX Host IDS) or that they periodically be transferred off-host.

NOTE: The keystroke logging feature does not currently work with Secure Shell (SSH)

8.6.4.2 Alternate Logging

The alternate logging feature enables you to log access control events and RBAC-invoked

commands. It is no longer necessary to enable HP-UX auditing to generate RBAC logs.

An administrator can enable RBAC logging and specify the location of the alternate

logging files simply by editing the /etc/rbac/rbac.conf file. For more information

on the specific keyword/value pairs, see rbac_conf(4m).

Alternate logging works in an identical fashion to the audit logging and may be

configured using the /etc/rbac/aud_filter file. The traditional RBAC audit log

generation continues to work. If both auditing and logging are enabled, two sets of logs

will be generated.

8.7 Troubleshooting HP-UX RBAC

The following is a list of the primary mechanisms used to troubleshoot and debug HP-UX

RBAC:

• The rbacdbchk utility verifies HP-UX RBAC database syntax.

• The privrun -v command reports additional and relevant information.

8.7.1 The rbacdbchk Database Syntax Tool

The most common bugs are caused by manual editing of the HP-UX RBAC databases,

resulting in syntactically invalid configurations or in configurations that are inconsistent

between databases (for example, a role in /etc/rbac/user_role that is not defined

in /etc/rbac/roles). To assist in diagnosing these common mistakes, HP-UX RBAC

includes an rbacdbchk command. This command reads through the HP-UX RBAC

databases and prints warnings where incorrect or inconsistent configuration entries are

found:

# rbacdbchk

[/etc/rbac/user_role] chandrika: UserOperator

invalid user

The value 'chandrika' for the Username field is bad.

168 HP-UX Role-Based Access Control