HP-UX Compartment Login Using Secure Shell (SSH)

compartment cmpt1 {

/*

* ** INTERFACE RULES **

* We recommend to configure a dedicated IP address to listen for

* every instance of sshd running in the system.

* The following rule has to be modified to configure the right

* sshd should not be allowed to do privileged operations such as

* system reboot, security containment administration, etc.,

* This may need further customization if some other application

* is hosted in the same compartment or other functionality needs

* to be disallowed in this compartment.

*/

disallowed privs policy,reboot,trialmode

/*

* ** NETWORK RULES **

* Following rule to the init compartment is required when password cache daemon

* (pwgrd) runing in system default compartment (init). This rule also required when

* LDAP used as user authentication method and ldapclientd daemon is running

* in init compartment.

*/

access fifo, uxsock init

/*

* ** FILE SYSTEM RULES **

*/

perm read /opt

perm read /usr

perm nsearch /sbin

perm nsearch /tmp

perm nsearch /var

perm nsearch /dev

// access to various device files

perm read, write /dev/ptmx

perm read /dev/telnet

perm write /dev/log

// System startup process require access to following file objects

perm nsearch /etc/default

perm read /etc/default/security

perm read /etc/hosts.deny

perm read /etc/profile

perm read /etc/MANPATH

perm read /etc/PATH

perm read /etc/TIMEZONE

perm read /etc/cmpt-db

perm read /etc/copyright