HP-UX Containers (SRP) A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)

111

112

113

114

115

116

117

118

119

120

# cd /opt/hpsrp/etc/

# cp base.srp_incl myCustom.srp_incl

2. Remove the rules in the original (base.srp_incl) file. This creates an empty security

compartment rules file. A container that uses only this file for its compartment rule set will

have no access to any files, system IPC, or network interfaces.

NOTE: Creating an empty security compartment rules file for the base template files affects

all containers using this file, including those previously created. HP recommends this practice

in a highly secure environment to ensure that all containers are specifically configured, and

that no containers are continuing to execute with default rules.

3. Determine the minimum set of rules that you need for a compartment and add them to the

new file (myCustom.srp_incl in this example). For more information on creating a

deployment-specific compartment rules set, see HP-UX System Administrator's Guide: Security

Management: HP-UX 11i Version 3.

4. Use the custom template to associate this new rules file to compartments requiring the

specified access. For example:

# srp -a myContainer -template custom -id myID

When srp prompts for Compartment rule files, enter the name of the new file

(

/opt/hpsrp/etc/myCustom.srp_incl in this example)

B.2.2 Manually editing configuration data

HP-UX Containers marks the data it adds to subsystem configuration files and databases with tags, or

text-string identifiers. It uses these tags when selecting data for the srp replace and delete

operations. You can use these tags to identify and manually edit the HP-UX Containers configuration

data and still use the srp replace and delete operations to manage this data if you retain the tag

information.

To identify configuration data that HP-UX Containers manages, enter:

srp -l container_name -v

B.2.2.1 Tag Formats

The general format for most tags that indicate the start of HP-UX Containers data is as follows:

@tag-start 'compartment="container_name" template="template_name"

service="service_name" id="version";

Where:

container_name

Specifies the container name.

template

Specifies the name of the template used to configure the data

service

Specifies the service name.

A string used to identify an instance of a service applied to a container.

This field allows you to create multiple instances of related configuration

entries for one or more services. All tags will include an id, with a default

value of 1.