Hello,

I am using Solaris 10 and RBAC and am noticing some peculiar audit
messages when testing authorized and unauthorized actions.

/etc/security/audit_control flags are as follows:
flags:-fm,-fc,-fd,ex,am,lo
naflags:ex,lo

Example: secrole has profiles Audit Review, Audit Control and All. He
can NOT create user accounts:

bash-3.00$ id
uid=1060(secrole) gid=1(other)
bash-3.00$ /usr/sbin/useradd -c "Maggie Simpson" -d /export/home/
maggies -m maggies
UX: /usr/sbin/useradd: ERROR: Permission denied.

Now looking at the audit log, it says the operation was successful!

header,272,2,execve(2),,hostname,2007-04-27 13:21:49.482 -04:00
path,/usr/sbin/useradd
attribute,100555,root,sys,85,41836,0
exec_args,7,/usr/sbin/useradd,-c,Maggie Simpson,-d,/export/home/
maggies,-m,maggies
path,/lib/ld.so.1
attribute,100755,root,bin,85,368971,0
subject,brandonw,secrole,other,secrole,other,2746, 2030703075,1177
131094 xxx.xxx.xxx.xxx
return,success,0
<---------------------------------------------------------------
sequence,649
trailer,272

Verify that the user account was not created

bash-3.00 # more /etc/passwd | grep maggies
bash-3.00 # Nothing!

System Administrator role works as expected, but it show the same
success message in the audit logs:

bash-3.00$ id
uid=1059(sarole) gid=1(other)

bash-3.00$ profiles
System Administrator
Printer Management
Cron Management
Device Management
File System Management
Mail Management
Maintenance and Repair
Media Backup
Media Restore
Name Service Management
Network Management
Object Access Management
Process Management
Software Installation
User Management
Project Management
Desktop Configuration
Application Server Management
Device Security
Network Security
User Security
Basic Solaris User
All

bash-3.00$ /usr/sbin/useradd -c "Homer Simpson" -d /export/home/homers
-m homers
64 blocks
bash-3.00$

$ more /etc/passwd | grep homers
homers:x:1061:1:Homer Simpson:/export/home/homers:/bin/sh

# auditreduce -d 20070427 -c ua | praudit
header,234,2,profile command,,hostname,2007-04-27 13:56:57.964 -04:00
subject,brandonw,root,other,sarole,other,3259,3072 061485,1214 65558
xxx.xxx.xxx.xxx
path,/export/zone/home/sarole
path,/usr/sbin/useradd
cmd,argcnt,6,-c,Homer Simpson,-d,/export/home/homers,-m,homers,envcnt,
0,
process,brandonw,root,other,sarole,other,3259,3072 061485,1214 65558
xxx.xxx.xxx.xxx
return,success,0
sequence,811
trailer,234


Thank you very much for your advice!

B. Wheaton