Manualshelf

HP Open View Data Protector for Security Containment

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
123456789
6
protector product. Therefore, the INIT compartment needs to be able to accept such incoming
connections. If you have redefined the INIT compartment on your system, add the following rules to
it:
grant bidir udp peer port 53 in_iface /* DNS client */
grant server tcp port 5555 in_iface /* Data Protector inet
backup/restore daemon */
Define a new compartment backup as follows:
sealed compartment backup {
disallowed privileges Policy
perm all /
grant client tcp in_iface /* Data Protector backup and restore
processes */
grant bidir udp peer port 53 in_iface /* DNS client */
}
The rule “grant client tcp in_iface” is necessitated by the internal organization of omniback: recall that
the omniback client uses dynamically allocated ports to communicate back to the cell server.
As we shall see later on in RBAC policy section, the following processes run in the backup
compartment:
/opt/omni/lbin/fsbrda and /opt/omni/lbin/vbda
To view the process running in the backup compartment, you need to add ps –ef to the RBAC
commands (cmd_priv) database. See
Appendix A for more information.
RBAC policy
Deployment of an application in RBAC environment requires planning. You need to following
1. Identify a user runs an application. Create the user account using the useradd command if the user
does not already exist.
2. Identify a role for the user created in step 1. Create the role using the roleadm command if the role
does not already exist.
3. Identify and assign the authorizations that the role created in step 2 should have to run an
application. Use the authadm command to create and assign the authorization if it does not
already exist.
4. Define an authorization-to-application mapping using the cmdprivadm command.
To create a user, do the following:
# useradd -m backup
This step creates the user with the name backup to manage the omniback. This is an otherwise
unprivileged user who would be configured to enter the backup compartment while running the
omniback software using RBAC.
To create a new role called DP (“Data Protector”) that the user backup belongs to, do the following:
# roleadm add DP “Data Protector role”
# roleadm assign backup DP
To create a new authorization called hpux.backupsw.omni and assign it to the above role, do the
following: