Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software
51525354555657585960
Create a single compartment configuration file for each software component.
This enables you to remove the compartment configuration easily if you remove the software
from the system. You can also find all rules pertaining to the software component easily.
Some software products are shipped with compartment rules already configured. Avoid
modifying these rules.
Before you make modifications to shipped compartment configurations, be sure you
understand the existing configuration. Read the documentation for the software product
and examine the existing configuration carefully.
CAUTION: Do not redefine the existing INIT compartment. If you attempt to change or redefine
the INIT compartment, all automatically generated definitions will be destroyed and
compartments will not function properly.
Activating Compartments
To activate compartment rules on your system, follow these steps:
1. Plan your compartment rules. See “Planning the Compartment Structure” for more
information.
TIP: HP recommends you plan your compartment rules configuration carefully. After you
have edited your configuration and implemented it on a production system, it becomes
difficult to change. When you change a compartment configuration, you must make changes
to user procedures, scripts, and tools.
2. Create compartment rules. See “Compartment Rules and Syntax” for instructions on
completing this step and for a complete description of compartment rules syntax.
3. (Optional) Preview your compartment rules by entering the following command:
# setrules -p
The -p option parses the configured rules list and reports any discrepancies in syntax and
semantics. HP recommends that you follow this step before enabling compartment rules on
your system.
4. (Optional) Make backup copies of the compartment configuration files. Either put these files
outside the /etc/cmpt directory or omit the .rules suffix. Doing this lets you easily revert
to your starting point if an editing problem occurs.
5. Enable the compartments feature by entering the following command:
# cmpt_tune -e
6. Reboot your system. This step is mandatory.
TIP: Keep your backup files; this makes it easier to revert to a prior configuration.
Modifying Compartment Configuration
You can create new compartments and modify existing compartments without rebooting the
system. If you enable or disable the compartment feature, or completely remove a compartment,
you must reboot the system. However, if you remove all rules associated with a compartment
and all references to that compartment, you can leave the compartment on your system until the
next reboot.
Refer to “Changing Compartment Names” for more information about the implications of
changing the name of a compartment.
60 Compartments