Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
51525354555657585960
Default Compartment Configuration
When you enable the compartments feature, a default compartment named INIT is created.
When you boot up the system, the init process belongs to this compartment. The INIT
compartment is defined to have access to all other compartments. The INIT compartment is not
defined in a compartment rules file.
IMPORTANT: If you redefine the INIT compartment by creating explicit rules in a rules file, all
special characteristics of the compartment are lost and cannot be restored without rebooting the
system.
Planning the Compartment Structure
Plan the compartment structure before you begin creating compartment rules.
To plan the compartment structure, answer the following questions:
Do you want to isolate different groups of users accessing this system? For example, is this
system used by both the accounting department and the human resources department, and
must these groups of users be kept separate?
Do you want to isolate one network interface on this system, which communicates outside
the firewall, from the rest of the system, which communicates only inside the firewall?
Does your security policy include requirements or problems that can be solved by using
compartments?
Does your security policy specify or suggest a specific compartment rules configuration?
When you have answered these questions, use the answers to determine how to assign parts of
your system to specific compartments.
Consider the following recommendations when planning your compartment configuration:
Put all your compartment configuration files in the /etc/cmpt directory.
You can use the #include directive to create compartment configuration files anywhere
on your system. However, HP recommends that you avoid using this option. Instead, keep
the compartment configuration files together and easy to locate.
Develop a separate compartment configuration for each component of your system.
Unless there is a defined, specific software dependency between two components, do not
mix rules for different components: One component compartment does not contain rules
referring to compartments for another component. If you must remove a component, you
can modify the compartment configuration more easily if the compartment configurations
are kept separate.
Planning the Compartment Structure 59