Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
121122123124125126127128129130
1. Execute the following command:
# vhardlinks
If the output shows an inconsistency, go on to step 2.
2. Modify the rules to remove the inconsistency. Follow the procedure described in
Section 6.5.2.
Problem 4: Network server rules do not appear in getrules output. Solution: Because
of the way rules are managed internally, network server rules for a given compartment
can be listed in the target compartment output of the getrules command.
For example:
/* telnet compartment rule to allow incoming telnet requests through compartment labeled ifacelan0
*/
grant server tcp port 23 ifacelan0
If this rule is specified, it appears listed under the ifacelan0 compartment output of
getrules.
ACCESS PROTOCOL SRCPORT DESPORT DESCMPT
Grant client tcp 0 23 telnet
6.7 Using Discover Mode to Generate Initial Compartment Configuration
A compartment definition can be tagged with the keyword discover. See Section 6.4.1.
The discover keyword instructs the system to discover all of the rules necessary to make
the application function correctly. This feature is intended to only be used in a test
environment.
To use discover mode, mark a compartment as discover and run the application
as you normally would. The system identifies all resource accesses and creates the
required rules.
After the initial execution of the application, use the getrules m compartment_name
command to generate a machine readable version of rules.
NOTE: The system does not discover nread and grant-local. The system discovers
read rules for nread access and discovers grant rules for grant-local access.
The system generated rules are required to make the application function successfully in
the test environment, but may need to be generalized. For example, the system may
generate a rule that involves a port number in anonymous port range, where the kernel,
not the application, selects the port number. When the application is run again, it may
end up with a different port number, requiring a different rule. The rule may need to be
generalized such that either all ports or at least the port numbers in the anonymous port
range are specified.
6.7 Using Discover Mode to Generate Initial Compartment Configuration 127