HP-UX Security Containment Extensions B.11.31.02 Release Notes
1 HP-UX Security Containment Extensions B.11.31.02
HP-UX 11i Security Containment includes three core technologies: compartments, fine-grained
privileges, and role-based access control. Together, these three components provide a highly
secure operating environment without requiring applications to be modified. With HP-UX
Security Containment Extensions, the HP-UX 11i v3 operating system enhances and simplifies
the configuration of application containment and enables compartment login restrictions for
enhanced application stacking and workload consolidation.
HP-UX Security Containment Extensions includes the following main components:
• The Containment Wizard tool that helps a system administrator setup and configure a
compartment.
• The compartment login configuration that enables users and administrators to login directly
to a compartment.
• The ContainmentPlus product that provides a collection of enhancements and fixes to the
core Security Containment features.
To acquire and install HP-UX Security Containment Extensions, go to Software Depot:
http://www.software.hp.com
Features
HP-UX Security Containment Extensions offers the following features:
• Containment Wizard
The application containment wizard, contain, is a tool that helps a system administrator
setup and configure a compartment. The contain tool creates a compartment and configures
the applications specified on the command line for execution in the compartment. After the
compartment has been created and the applications have been configured, the contain
tool gives the user an opportunity to run these applications in the newly created compartment.
The containment wizard then collects the list of required access rules for these applications
and attempts to simplify these rules based on the system administrator's input.
• Compartment Login
The compartment login configuration enables users and administrators to login directly to
a compartment. It provides a mechanism to set controls on those users that are allowed to
login to a service running in a specified compartment or prevent access to the system based
on previously configured authorization information.
• ContainmentPlus
The ContainmentPlus product provides the following enhancements and fixes:
— Granular control for loopback network communications. See the grant-local and
deny-local rules in the compartments(4) manpage.
— A system-wide default policy for inter-compartment local-to-local communications
between deny and allow. See the cmpt_allow_local(5) manpage.
— The compartment delivery check for loopback packets validates against the destination
address so that only the receivers that are allowed to access the destination address can
receive the packets.
— When sending packets, if the source address for a loopback packet is not specified by
the sender, the compartment selects an address that the sender is allowed to access.
— The delivery of loopback packets is made in favor of the listener that directly owns the
destination address.
— The compartment file system rule supports non-inheritable read permission on
directories. See the nread rule in the compartments(4) manpage.
Features 5