Event Authorization

For the following reasons, security is an important consideration when dealing with events:

Uncontrolled access to certain event information can provide an unauthorized user with sensitive information about system operation.
Posting certain events may cause critical system actions, for example, application failover or system shut down, to occur.

Traditionally, event information security is maintained by restricting read access to log files and limiting certain posting operations to the superuser. As the Event Manager daemon and event retrieval facilities provide alternate means of access to all events, both as they are posted and after they are logged, the daemons also provide a way to limit access, so that events are seen only by authorized users. You can enable access control by providing authorization facilities and using authentication techniques.

You must avoid compromising security when writing executable functions to be used in the environment. For more information about protecting channel functions, see the HP-UX Event Manager Programmer’s Guide.

User Authentication

The Event Manager daemon authenticates the identities of all local system users before accepting any connection request.

User Authorization

Access to events is controlled by the Event Manager authorization file, /etc/evm.auth.

The superuser can authorize individual users or groups of users to perform the following actions:

Post selected events
Access (subscribe to or retrieve from storage) selected events
Execute selected services

By default, all events are protected. Event rights are granted by supplying, for each event class, a list of users who have the specified right or who are explicitly denied rights. A plus sign (+) that is not followed by a user list implicitly grants the right to all users. A minus sign (-) that is not followed by a user list implicitly denies the right to all users. The superuser has implicit posting and access rights to all events unless explicitly denied them. Example 3-4 “Sample Authorization File Entries” shows sample entries in an authorization file. For more information, see evm.auth(4) .

Example 3-4 Sample Authorization File Entries

	 # ===================
	 #      EVENTS
	 # ===================
	 	 	/* Only the root user can post the class of events that have 	 	 	 	 	 		 		names beginning with  sys.unix.evm.control. Such events are 	 	 	 	 	accessible by all users. The @SYS_VP@ entry is a macro that 	 	 	 	 is replaced with sys.unix when the file is read. */
	 event_rights { 
   class        @SYS_VP@.evm.control   # EVM control events
   post         root
   access       +
	 }
	 	 /* Only the root user can post the class of events that have 	 	 	 	 	 	 		names beginning with sys.unix.evm.msg.admin. Such events can 	 	 	 	be accessed by root or other users in the admin group. */
			 e		vent_rights { 
   class        @SYS_VP@.evm.msg.admin  # EVM admin message
   post         root
   access       "root, group=adm"
		 }
	 	 		 /* All users can post or access the class of events that have 	 	 	 	 	 	 		names beginning with sys.unix.evm.msg.user. */
	 	event_rights { 
   class        @SYS_VP@.evm.msg.user   # EVM user message
   post         +
   access       +
	 }
 
	 # ===================
	 #      SERVICES
	 # ===================
	 	 	/* All users can execute the event_get service. */
	 service_rights { 
   service      event_get
   execute      +
	 }

If you make any changes to the authorization file you must enter the evmreload command to inform the Event Manager daemon of the changes.

Event Authorization

Technical documentation

» Table of Contents

» Index

User Authentication

User Authorization