Manualshelf

HP Open View Data Protector for Security Containment

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
123456789
7
# authadm add hpux.backupsw.omni
# authadm assign DP hpux.backupsw.omni
Add the cmd_priv entry such that the command gets executed with euid=ruid=0 with the
compartment keyword backup.
# cmdprivadm add cmd="/opt/omni/lbin/inet \
-log /var/opt/omni//log/inet.log" op=hpux.backupsw.omni \
compartment=backup euid=0 ruid=0
When the omni disk agent software gets installed, the following inet entry gets added to the
/etc/inetd.conf file:
"omni stream tcp nowait root /opt/omni/lbin/inet inet -log \
/var/opt/omni//log/inet.log"
Replace the above entry in the /etc/inetd.conf file with the following:
"omni stream tcp nowait backup /usr/bin/privrun privrun -c backup \
/opt/omni/lbin/inet -log /var/opt/omni//log/inet.log"
The above change ensures that the /opt/omni/lbin/inet process starts in the backup
compartment. Execute /usr/sbin/inetd -c. This ensures that the inetd reads the changes made
to the inetd.conf file.
Bastille Policy
HP-UX Bastille is a security hardening and lockdown tool that can be used to enhance the security of
the HP-UX operating environment. If your system is already configured with Bastille’s demiliterized
configuration file DMZ.conf, then Bastille configures the IPFilter rule which denies every connection
other than the rules defined explicitly for specific applications. You should add an IPfilter rule for the
Data Protector application to make sure that the client receives connections through the configured
port. The next section explain how to add an IPFilter rule for Data Protector (omni) applications.
IP Filter Policy
This section describes how to configure Data Protector in an environment where the Data Protector
processes communicate across an IPFilter firewall that is configured either independently or using
Bastille.
Add the following IPFilter rule (for the omni software) in the IPFilter configuration file,
/etc/opt/ipf/ipf.conf.
"pass in quick proto tcp from any to any port = omni flags S keep state
keep frags"
Reload the IPFilter rules:
# /sbin/init.d/ipfboot stop
# /sbin/init.d/ipfboot start