rbac.5 (2010 09)
r
rbac(5) rbac(5)
AUDITING
These commands, privrun (1M), roleadm(1M), authadm (1M) and cmdprivadm(1M) all generate audit
records. The audit records include a caller’s username, UID, role, authorizations, object, time of the
event, success or failure of the event, etc.
You can provide an audit filter database file (
/etc/rbac/aud_filter
) which allows a user to specify
the role and the authorization (operation , object ) to be audited. Role-to-authorization audit records will
be generated only if the caller’s role and authorization matches one of the entries in the
/etc/rbac/aud_filter
database.
If the audit filter database file does not exist, or is not accessible, then the audit records will still be gen-
erated. However, if the audit filter database file exists, but is empty, then no audit records will be gen-
erated.
The following is an example of how to generate and display the audit records for
roleadm:
# audevent -Pfe admin
# audsys -f
# audsys -n -c /tmp/aud.out -s 2048
# roleadm add new_role_1
# audsys -f
# audisp /tmp/aud.out
See audit (5), audevent (1M), audsys (1M), and audisp (1M) to learn more about generating and displaying
audit records.
FILES
/etc/rbac/auths Database containing definitions of all valid authorizations.
/etc/rbac/cmd_priv
Database containing the authorization to execute specified commands or
edit specific files, and the privileges to alter UID and GID for command
execution.
/etc/rbac/roles Database containing all valid definitions of all roles.
/etc/rbac/role_auth
Database defining the authorizations and/or subroles for each role.
/etc/rbac/user_role
Database specifying the roles for each specified user or UNIX group.
/etc/rbac/aud_filter
Database containing a list of roles and associated authorizations to be
audited.
SEE ALSO
authadm(1M), cmdprivadm(1M), privrun(1M), privedit(1M), rbacdbchk(1M), roleadm(1M), privileges(5),
compartments(5).
6 Hewlett-Packard Company − 6 − HP-UX 11i Version 3: September 2010