RBAC BSM and Auditing in NIS environment

[sunixadm]

Hi,

I have been asked to develope and implement a concept for RBAC with the ability to audit different roles.

There is plenty of information on the net (google) regarding this subject, but I haven't been able to find information regarding RBAC implementation, withthe basic security module (BSM), in a NIS environment.

Can anyone help?

Solaris 8 SPAR HW 7/03.

Thanks!

-Joe

 

[Apricot]

New features have been added for systems using RBAC and BSM under Solaris 8.

These features allow the pfexec to directly update the audit logs and widen the scope of auditing, providing finer grained auditing.
Document Body: Top

RFE #4398611 pfexec should directly audit its use.

This RFE was generated as a customer convenience to allow a way to separately record the following in the audit trail:

- what commands pfexec executed as part of a Rights Profile
- what rights they were given.

RFE #4647684 PSARC/2002/352 Audit Class Expansion

This RFE was generated to add finer granularity for audit administration.

Bug # 4473022, pfexec without a defined group audits with group -1

This bug fixed an audit log only detail where the group, if not defined, used -1 instead of the default group.

These new features were released in patch revision -12 of the at/atrm/batch/cron patch #109007 for Solaris 8 and built into the Solaris 9 build 42 and greater.

Part of the patch procedure moves the new audit_event and audit_class files into place while making a copy of the original files.

If you have customized the audit_event file, you should add a new entry that was introduced in the patch 109007-12 or greater. If the entry is left out, it can cause failure for any role based accounts on the system.

The required entry is:

6180:AUE_prof_cmdrofile command:ad

The error occurs after logging in a role and trying to run a command without the required entry:

pfexec: audit preselection failed

http://sunsolve.sun.com

Best regards Phil