HPE Community
Operating System - HP-UX
1819916 Members
2308 Online
109607 Solutions
New Discussion юеВ

RBAC for auditing

 
SOS_2
Occasional Advisor

тАО02-22-2010 04:00 AM

тАО02-22-2010 04:00 AM

RBAC for auditing

Hi,

I want to enable auditing on my HPUX boxes. After a user does sudo, how can all his activities muight be kept a check on?
Can just audit feature of RBAC be used for this? Any privileged users apart from root cant be made, what we need it just an audit on each command/activity.

P.S. The boxes are NOT in trusted mode.
Appreciate any help
0 Kudos
Reply
3 REPLIES 3
TTr
Honored Contributor

тАО02-22-2010 05:26 AM

тАО02-22-2010 05:26 AM

Re: RBAC for auditing

> After a user does sudo...

Sudo has command/script based access and has nice logging so you should be able to check the logs and see which command each user ran.

RBAC is a separate access control platform that can replace sudo or be used along side with it. It should have its own logging features so that you can check what commands the users are running.

You question sounds more general, I think you are asking if sudo is equivalent to system auditing. The answer is relative. In a low user activilty environment you could have all your users go through sudo and run a few commands. In this case you could audit which command a user typed and when. I a high user activity it would be almost impossible to monitor all the users and wrap all the UNIX commands in sudo.

Do you have to respond to an IT system audit regarding server auditing?
0 Kudos
Reply
SOS_2
Occasional Advisor

тАО02-22-2010 08:48 PM

тАО02-22-2010 08:48 PM

Re: RBAC for auditing

Thank you for your reply.

1. I want to know how each users activity having sudo access can be known. The file is just one .sh_history which is same for everyone after they issue sudo su -

2. All I want is to keep a tab on everyone's activity. Be it sudo/RBAC/trusted mode. More keen on using RBAC as its a latest trend.

3. Please someone guide about RBAC;s auditing feature, implementation, steps etc
0 Kudos
Reply
TTr
Honored Contributor

тАО02-23-2010 10:58 AM

тАО02-23-2010 10:58 AM

Re: RBAC for auditing

> ...after they issue sudo su -

That's a problem. Everybody becomes root under a UNIX shell so all activity is within that shell. As far as sudo is concerned they only typed one command, the "su -" command. They all inherit the root environment and end up on the same home directory with the same history file.


Take a look at /etc/default/security and set up the SU_KEEP_ENV_VARS list. Look at "man su". Then you can make everybody's history file differen (using their LOGNAME) and keep all history files in a separate subdirectory.

Smart users can cleanup the history file before they logout so this is still very insecure.

This is very open and unprotected system. Why bother with sudo, you might as well give everybody the root password.


0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.