HP-UX Mailing Solutions White Paper

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software

interface lan904

}

Please edit /etc/cmpt/iface.rules before rebooting.

Reboot to enable compartmentalization.

3. Reboot the system. This step is mandatory to enable compartmentalization.

4. Copy the /etc/cmpt/examples/sendmail.example file to a .rules file to create a

new compartment called sendmail for the Sendmail application.

# cp /etc/cmpt/examples/sendmail.example /etc/cmpt/sendmail.rules

The SAFER tool contains an example of rule sets for the Sendmail product. You can use this

rule set to run the Sendmail application in the sendmail compartment. The example rule

set contains basic security features required for the Sendmail product. The example rule-set

is located in the /etc/cmpt/examples/sendmail.example file.

5. Preview the compartment rules:

# setrules -p

The -p option parses the configured rules list and reports any discrepancies in syntax and

semantics. HP recommends that you follow this step before enabling compartment rules on

the system.

6. Obtain backup copies of the compartment configuration files so that you can revert to the

previous state if a problem occurs.

7. Run the setrules command to load the configured rules:

# setrules

8. Run the setfilexsec command to set security attributes of the Sendmail binary file and

the compartment attribute, and to provide additional privileges.

# setfilexsec -c sendmail -p basicroot -P basicroot -r basicroot

-R basicroot /usr/sbin/sendmail

9. Run the getfilexsec command to verify security attributes associated with the Sendmail

binary, including the compartment attribute:

# getfilexsec /sbin/init.d/sendmail

/usr/sbin/sendmail:

CompartmentName: sendmail

Flag: start_full

PermittedMinPrivileges: BASICROOT

PermittedMaxPrivileges: BASICROOT

RetainedMinPrivileges: BASICROOT

RetainedMaxPrivileges: BASICROOT

Verifying the Compartment Configuration

Follow this procedure to verify if the compartment is configured properly:

1. Ensure that the Sendmail process is running in the intended compartment:

NOTE: The compartment name is sendmail in the following example.

# ps -ef | grep sendmail

root 1303 1 0 13:56:58 ? 0:00 sendmail: accepting connections

root 3396 2759 0 14:05:28 pts/1 0:00 grep sendmail

# getprocxsec 1303

effective= BASIC CHOWN LOCKRDONLY FSSTHREAD CHROOT DACREAD DACWRITE

NETPRIVPORT OWNER SELFAUDIT CHSUBJIDENT

permitted= BASIC CHOWN LOCKRDONLY FSSTHREAD CHROOT DACREAD DACWRITE

NETPRIVPORT OWNER SELFAUDIT CHSUBJIDENT

retained= BASIC CHOWN LOCKRDONLY FSSTHREAD CHROOT DACREAD DACWRITE

NETPRIVPORT OWNER SELFAUDIT CHSUBJIDENT

Secure Mailing Solution 41