HP-UX Secure Resource Partitions (SRP) A.02.
© Copyright 2008 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents About This Document.......................................................................................................11 Intended Audience................................................................................................................................11 Typographic Conventions.....................................................................................................................11 Related Information...........................................................
3 Setting Up SRP.............................................................................................................25 Using srp_setup................................................................................................................................25 System Changes....................................................................................................................................25 Example..................................................................................
Input Data..................................................................................................................................43 Configuration Data.....................................................................................................................44 HP-UX IPSec Default Parameter Values...............................................................................44 Policy Selection and Priority....................................................................................
9 Using the sshd Template............................................................................................61 Adding the sshd Template to an SRP Compartment..........................................................................61 Requirements for Running srp.......................................................................................................61 Syntax.................................................................................................................................
13 Customizing SRP Data...............................................................................................83 Modifying Provision Scripts.................................................................................................................83 Modifying Compartment Rule Include Files........................................................................................83 Securing SRP Compartments with Compartment Rule Include Files............................................
List of Figures 1-1 8 SRP Compartments Example........................................................................................................
List of Tables 11-1 Valid Services.................................................................................................................................
About This Document This document describes how to install, configure, and troubleshoot HP-UX Secure Resource Partitions (SRP). Intended Audience This document is intended for system and network administrators responsible for installing, configuring, and managing HP-UX SRP. Administrators are expected to have knowledge of operating system and networking concepts, commands, and configuration.
IMPORTANT An important provides essential information to explain a concept or to complete a task. NOTE A note contains additional information to emphasize or supplement important points of the main text.
1 Introduction This chapter addresses the following topics: • “Product Overview” (page 13) • “SRP Components” (page 16) • “Planning Considerations and Best Practices” (page 18) Product Overview HP-UX Secure Resource Partitions (SRP) version 2 enables you to create and manage SRP compartments, which provide isolated execution environments for applications. Each SRP compartment can have: • • • • • • • A compartment home directory tree, which is isolated from other compartments. A dedicated IP interface.
Figure 1-1 SRP Compartments Example Securing SRP Compartments SRP provides a framework for managing compartment and networking security. This framework is primarily enforced with Security Containment compartment file access rules. The default set of compartment access rules delivered with SRP has been developed to favor functional isolation, application compatibility, and user session functionality over strong security containment.
• Security Containment Compartments A Security Containment compartment is an environment with an isolated file directory structure, isolated IPC, and isolated networking I/O for the processes and users in the compartment. If a process in a compartment is compromised, it cannot damage other parts of the system because it is isolated by the compartment configuration.
Initialization and Shutdown Services You can use SRP to create an initialization and shutdown directory structure for the compartment with compartment control scripts that are automatically executed when the system starts up or shuts down. You can also manually start or shut down an SRP compartment using the srp utility.
SRP Templates and Services The input parameters and data configured by srp are determined by the templates and services used. SRP templates are XML documents that define the configuration actions performed by SRP. Configuration actions are grouped into SRP services. You can choose which services to apply to an SRP, and apply services individually or collectively to an SRP compartment.
service, only the root user (the default user assigned the RBAC Administrator role) is allowed to log in to the compartment. • prm Configures a PRM group for the SRP compartment. You can specify the PRM group type and the CPU and memory allocations for the group. • provision Executes a customizable script to deploy an application in an SRP compartment. HP provides sample provision scripts for Apache Web Server and Secure Shell daemon (sshd) services.
the Security Containment product is initially enabled, it creates the ifaces compartment and assigns all network interfaces currently installed on the system to ifaces.
• • Run swinstall and swremove from the INIT compartment. Do not install system software or utilities from within an SRP compartment. An SRP compartment might have rules that prevent you from successfully installing system software. If an application hosted in an SRP compartment has associated executables or utilities, run them from within the SRP compartment. This enables the processes to share common file system directories, IPC facilities, and network security rules.
SRP login service to assign login authorization to an HP-UX user group for specific SRP compartments. For more information about assigning login rights for compartments, see compartment_login(5). SRP Compartment Administrators and Login Group The SRP admin service assigns a user with an RBAC role to administer a compartment. By default, this user has the authorization to execute the startup and shutdown scripts for the compartment.
Compatibility with the Bastille Revert Feature If you use the bastille -r command to revert to the Bastille baseline configuration, you lose any IPFilter rules configured using SRP that are not in the baseline. HP recommends that you do not configure the IPFilter service with SRP if you are using Bastille to manage IPFilter rules. If Bastille is managing IPFilter rules, the /etc/opt/ipf/ipf.conf or /etc/opt/ipf/ ipf.
2 Installing SRP The HP-UX-SRP bundle consists of two products: CMGR and SRP. To use SRP, you must install both products in the bundle. This section describes the steps required to install the SRP bundle.
# swverify HP-UX-SRP If the installation is successful, swverify displays a list of the installed files and a success message appears after the verification is complete. 2. Enter the following command to verify that the products are configured correctly on your system: # swlist -a state -l fileset HP-UX-SRP If the product is configured correctly, swlist lists an entry for each fileset with the status configured.
3 Setting Up SRP This chapter describes how to use srp_setup to set up the SRP environment. This chapter addresses the following topics: • “Using srp_setup” (page 25) • “System Changes” (page 25) • “Example” (page 26) Using srp_setup The /opt/hpsrp/bin/srp_setup utility ensures that the system is an appropriate state for successful configuration of SRP compartments. The srp_setup utility checks the status of the subsystems that SRP can configure.
• If IPFilter is not enabled on the system, srp_setup prompts if you want to enable it. CAUTION: Enabling IPFilter briefly brings down all IP interfaces on the system, then brings up all IP interfaces configured in the /etc/rc.config.d/netconf and /etc/ rc.config.d/netconf-ipv6 files. This causes the system to briefly lose network connectivity and removes all dynamically configured IP interfaces.
# # Compartment Setup # ############################## Checking Compartment module ... [ Enabled ] ############################## # # cmpt Login configuration # ############################## Checking Compartment Login Configuration File... [ OK ] Checking cmpt login feature ... [ Enabled ] Any service monitored by pam_hpsec account management module is enabled with compartment login enabled. The current PAM configuration file (/etc/pam.
(page 19). If so, srp_setup prompts if you want to configure a list of specific IP addresses in the configuration file and displays a list of IP interface addresses configured on the system. Detected Init Compartment Secure Shell daemon listening on all IP addresses. Will conflict with any SRP Secure Shell daemons. Would you like to restrict the Init compartment's sshd IP addresses? [y] RETURN Enter IP addresses, separated by comma ',': [192.0.2.
4 Getting Started with SRP This chapter shows the commands used to manage the lifecycle of a sample SRP compartment.
HP recommends that you run srp_setup after you install SRP, but you can run it anytime that you want to change the default parameters for SRP or verify the status of the subsystems configured by SRP. For more information about srp_setup, see Chapter 3 (page 25). Step 2: Displaying Input Parameters for the base Template Before creating a base SRP compartment, the user enters the srp -help -template base command to view the input parameters for the base template.
The following template variables have been set to the values shown: iface ip_address = = lan1 192.0.2.1 Press return or enter "yes" to make the selected modifications with these values. Do you wish to continue? [yes] RETURN add compartment rules succeeded creating directory /var/hpsrp/myCmpt ...
# /opt/hpsrp/bin/srp -a myCmpt -t sshd -s cmpt,provision Enter the requested values when prompted, then press return. Enter "?" for help at prompt. Press control-c to exit. sshd sshd Copy sshd data path: [/var/hpsrp/myCmpt/opt/ssh] RETURN executable path: [/opt/ssh] RETURN SSH config data from path: [/opt/ssh/newconfig] RETURN port number: [22] RETURN Press return or enter "yes" to make the selected modifications with these values.
/var/hpsrp/myCmpt/opt/ssh/ssh_host_dsa_key.pub SSHD Pid File: /var/hpsrp/myCmpt/opt/ssh/sshd.pid SSHD Startup/Shutdown Script: /var/hpsrp/myCmpt/sbin/init.d/secsh Step 7: Starting the SRP Compartment To start an SRP compartment, enter the following command: srp -start compartment_name The srp utility executes the startup scripts in the /var/hpsrp/compartment_name/sbin subdirectories.
Step 9: Stopping the SRP Compartment To stop an SRP compartment, enter the following command: srp -stop compartment_name The srp utility executes the shutdown scripts in the /var/hpsrp/compartment_name/sbin subdirectories. In this example, the shutdown scripts include a script to bring down the IP interface for the compartment, and a script to stop the sshd daemon.
5 Using the base Template The base template manages SRP compartment data that is not application-specific. This chapter describes how to use the base template to create a base SRP compartment. You can also use the base template to add additional base services to a compartment or to delete or modify the base services for a compartment.
The input data for these services and the data configured are described in the sections that follow. If SRP uses input data for multiple services, the srp utility prompts you for the data once and reuses the value. The cmpt Service The cmpt Service configures an HP-UX Security Containment compartment, which forms the core of the SRP compartment. You must use the cmpt service when you create an SRP compartment.
subdirectories that are intended to be compartment-specific versions of the system subdirectories below the root directory: • • • • • • • • etc home net opt sbin tmp usr var Compartment users and services can use these directories to store compartment-specific versions of system files. For example, the init service uses the /var/hpsrp/compartment_name/sbin directory to create init.d, rc0.d, rc1.d, rc2.d, rc3.d, and rc4.
Login Access Configuring an administrative user does not grant that user login access to the compartment. A user does not have to be logged in to an SRP compartment to start or stop the compartment, or to modify the configuration data. To specify the users authorized to log in to the compartment, use the SRP login service or the authadm command. The prm Service The prm Service creates a new PRM group for an SRP compartment. SRP does not allow you to add an SRP compartment to an existing PRM group.
Default: 1. PRM group memory shares The number of virtual memory shares allocated for this group. PRM determines the actual amount of memory allocated for this group by calculating the number of shares allocated for this group divided by the total memory shares allocated. Variable Name: prm_mem_shares. Default: 10. PRM group physical memory The amount of physical memory allocated to this group for shared memory. This value is specified in megabytes. Variable Name: prm_phys_mem.
network interface that is already configured for IP, SRP configures a secondary interface for you. If you specified an existing IP address (an IP address that is already configured on the system) for the ip_address variable, srp uses the interface name with the configured address and does not prompt you for the network interface name. Variable Name: iface. Default: None. IP subnet mask (Valid for IPv4 addresses only) Specifies the subnet mask for the interface, in dotted-decimal notation.
for the compartment is executed, as described in “Network Initialization and Shutdown Service” (page 41). Network Initialization and Shutdown Service If the specified IP address was not already configured for the system, SRP creates the file /var/hpsrp/compartment_name/sbin/init.d/srp_net to bring the IP interface up or down. This script also adds or deletes the default gateway route for the compartment interface.
Input Data SRP prompts for the following data. You can also specify a variable name and value in the command line, as described in “Creating an SRP Compartment or Adding Data to a Compartment” (page 67). Unix group for compartment Name of the HP-UX user group whose members are authorized to log in to the compartment. This group must login already exist in the HP-UX group database (/etc/group). Variable Name: login_group. Default: adm.
SRP adds the following IPFilter rules for the compartment, where cmpt_address is the compartment IP address: • Rules that allow all TCP, UDP, and ICMP outbound packets from the compartment address.
Valid Input: ESP_AES128_HMAC_SHA1 ESP_AES128_HMAC_MD5 ESP_3DES_HMAC_SHA1 ESP_3DES_HMAC_MD5 ESP_NULL_HMAC_SHA1 ESP_NULL_HMAC_MD5 Default: ESP_AES128_HMAC_SHA1 IPSec preshared key The preshared key used to authenticate the identity of the IPSec peer. This must match the value configured on the peer system. Parameter Name: ipsec_psk. Valid value: A text string, containing 1 - 128 ASCII characters (whitespaces are not allowed). Default: None.
determines the priority for a new policy by adding n to the current highest priority for that policy category, where n is the automatic priority increment value. When a policy is added with this mechanism, it becomes the last policy evaluated before the default policy in the category; you might have to modify the priority value for your policies. Using IPSec with IPFilter HP-UX IPFilter is located below HP-UX IPSec in the networking stack.
6 Using the apache Template This chapter describes how to use the apache template to add configuration data for hosting an HP-UX Apache-based Web Server in an SRP compartment. You can also use the apache template to delete or modify the apache template data for a compartment.
Input Data SRP prompts for the following data. You can also specify a variable name and value in the command line, as described in “Creating an SRP Compartment or Adding Data to a Compartment” (page 67). Apache data path The root directory for Apache data. The cmpt service adds rules to allow the compartment all access to this directory. Users and processes in the SRP compartment can read, write, traverse (nsearch), and delete (ulink) the contents of these directories. Variable Name: data_path.
Default: None. Configuration Data If the compartment address is an IPv4 address, SRP adds IPFilter rules to the /etc/opt/ipf/ ipf.conf file. If the compartment address is an IPv6 address, SRP adds IPFilter rules to the /etc/opt/ipf/ipf6.conf file. SRP configures rules that allow inbound packets from any remote IP address to the compartment IP address with the specified destination TCP port numbers. SRP also specifies the keep state keywords to allow outbound responses for these packets.
Apache HTTPS port number Specifies the TCP port number on which the compartment Apache server will receive HTTPS (SSL) requests. Variable Name: https_port. Valid Input: A TCP port number in the range 1- 65535. Default: 443, the IANA registered port number for HTTPS. Start Apache at system start time Specifies if you want to add a script to the compartment init directory structure to start Apache. The script is automatically executed at system start time. Variable Name: start_apache.
Replacing or Deleting Apache SRP Data Use the following command to replace apache template data in an SRP compartment: srp -r[eplace] compartment_name -t apache [-s service[,service]...] The srp -replace command deletes the specified data, then prompts you for replacement data.
7 Using the custom Template The custom template enables you to specify additional Security Containment file access rules and IPFilter rules for an SRP compartment. You can also use the custom template to accommodate additional applications in a SRP compartment, or to add compartment or IPFilter rules to increase security controls for an SRP compartment. You can use the custom template to add data to an SRP compartment multiple times without removing or replacing previously configured data.
services that are valid with the custom template. If you are using the factory-configured default services, the only valid default service is cmpt. The input data for these services and the data configured are described in the sections that follow. If SRP uses input data for multiple services, the srp utility prompts you for the data once and reuses the value. The cmpt Service The cmpt service for the custom template applies additional compartment rules to your compartment.
The ipfilter Service The ipfilter service for the custom template enables you to allow inbound packets to specific TCP or UDP port numbers. Input Data SRP prompts for the following data. You can also specify a variable name and value in the command line, as described in “Creating an SRP Compartment or Adding Data to a Compartment” (page 67). Specifies the local TCP port numbers for IPFilter rules that IPFilter TCP port numbers allow inbound packets. Variable Name: ipf_tcp_ports.
srp -d[elete] compartment_name -t custom [-s service[,service]...] [-id instance] CAUTION: If you do not specify the -template and -service arguments, srp deletes the compartment or replaces all data for the compartment. For example, the srp -delete myCmpt command deletes the myCmpt SRP compartment. For more information, see “Deleting Configuration Data” (page 69) and “Replacing Configuration Data” (page 69).
8 Using the oracledb Template This chapter describes how to use the oracledb template to add configuration data for hosting an Oracle Database Server in an SRP compartment. At time this document was published, HP had certified this template with the Oracle 10g Database Server. You can also use the oracledb template to delete or modify the oracledb template data for a compartment.
Input Data SRP prompts for the following data. You can also specify a variable name and value in the command line, as described in “Creating an SRP Compartment or Adding Data to a Compartment” (page 67). Oracle executable path The root directory for Oracle executables. The cmpt service adds rules to allow the compartment read access to this directory. Because this parameter is configured per compartment, you can run different versions of the Oracle Database server product on the system.
Configuration Data If the compartment address is an IPv4 address, SRP adds IPFilter rules to the /etc/opt/ipf/ ipf.conf file. If the compartment address is an IPv6 address, SRP adds IPFilter rules to the /etc/opt/ipf/ipf6.conf file. SRP configures rules that allow inbound packets from any remote IP address to the compartment IP address with the specified destination TCP port numbers. SRP also specifies the keep state keywords to allow outbound responses for these packets.
9 Using the sshd Template This chapter describes how to use the sshd template to add configuration data for hosting an HP-UX Secure Shell daemon (sshd) in an SRP compartment. You can also use the sshd template to delete or modify the sshd template data for a compartment.
Input Data SRP prompts for the following data. You can also specify a variable name and value in the command line, as described in “Creating an SRP Compartment or Adding Data to a Compartment” (page 67). Specifies the compartment-specific target directory for sshd configuration and key files. sshd data path Variable Name: data_path. Default: /var/hpsrp/compartment_name/opt/ssh. sshd executable path The location of the executables for the HP-UX Secure Shell product. Variable Name: exec_path.
The provision Service The provision service executes the customizable script /opt/hpsrp/bin/util/secsh_setup to provision (deploy) an sshd service in the SRP compartment. This script also configures the SRP compartment to start the sshd daemon when the compartment starts. Because the SRP compartment starts at system startup time, an sshd daemon will automatically start in the compartment at system startup time.
• and modifying it with compartment-specific data, including setting the HostKey parameter to /var/hpsrp/compartment_name/opt/ssh/ssh_host_rsa_key. Creates compartment-specific initialization scripts and startup file to start the sshd with the compartment-specific sshd_config file when the compartment startup script is executed. The setup script: — — Creates the compartment-specific startup configuration file, /var/hpsrp/compartment_name/etc/rc.config.
10 Starting and Stopping SRP Compartments This chapter describes how to start and stop SRP compartments. For complete syntax information, see srp(1m). This chapter addresses the following topics: • • • “SRP Startup and Shutdown Processing” (page 65) “Starting an SRP Compartment” (page 66) “Stopping an SRP Compartment” (page 66) SRP Startup and Shutdown Processing By default, all SRP compartments are automatically started at system startup time and are automatically stopped at system shutdown time.
NOTE: Note that the numeric portion of the subdirectory name does not correspond to the system run level at which the scripts are executed. The system run level at which the scripts are executed is determined by the run level at which the SRP master script, /sbin/init.d/ srp, runs (run level 3 when the system starts up and at run level 2 when the system shuts down). At system startup or shutdown time, the SRP scripts are executed as follows: • The /sbin/init.
11 Managing SRP Data This chapter describes how to add, update, delete, list, and manage SRP data. For complete syntax information, see srp(1m).
Table 11-1 Valid Services Template Valid Services base admin cmpt init ipfilter ipsec login network prm apache cmpt ipfilter provision custom cmpt ipfilter provision oracledb cmpt ipfilter sshd cmpt ipfilter provision If you specify multiple services, srp processes each service for each template in the order specified. You can apply a service for the custom template multiple times to an SRP compartment without replacing or removing previously configured data.
The srp utility skips the prompt for the ip_address variable in the interactive dialog and uses the specified value, unless you use it with the -batch option. If you use it with the -batch option, it uses the default values for the other parameters, as described in “Using srp in Batch Mode” (page 72). Deleting Configuration Data Use the following command to delete template or service data from an SRP compartment: srp -d[elete] compartment_name [-t[emplate] template[,template]...
Default: All templates configured for the SRP compartment. Specifies the name of the service data to replace. service If you specify multiple services, srp processes each service for each template in the order specified. Default: All services configured for the template. Specifies a unique string identifier used to identify an instance of a template usage for templates that can be applied multiple times. This is valid for the custom template only and is ignored for all other templates.
Default: base. service Specifies the service for which you want to display parameters. If you specify multiple services, srp processes each service for each template in the order specified. Table 11-1 lists the services valid for each template. Default: The default services that are valid for the template. The factory configured default services are: adm, cmpt, init, login, network, and prm.
Default: None. Using srp in Batch Mode Adding the -batch or -b option to an srp command runs the utility in batch mode. Instead of prompting the user for input, srp uses the default values for input variables. If there is no default value for an input variable, you must specify the value in the command line. For example: /opt/hpsrp/bin/srp -add myCmpt -batch ip_address=192.0.2.
In order to restore the system environment, the following directories and files must be removed: /etc/cmpt/myNewCmpt.rules Move files and restore? [y] If you respond y (yes), srp_restore prompts for a target directory to store the new files: Save moved files to directory: The srp_restore script moves the new files and directories to the specified directory, then deletes the existing contents of the backed up directories and restores the files in the backup directory.
12 Verifying and Troubleshooting SRP This chapter contains procedures for verifying and troubleshooting SRP. This chapter addresses the following topics: • “Verification Procedures” (page 75) • “Troubleshooting Procedures” (page 79) • “Reporting Problems ” (page 80) Verification Procedures The following sections contain procedures to verify the subsystem data configured by SRP.
• Use the authadm command to verify the authorization information configured for the compartment: authadmlist list object=compartment_name For the admin service, you should see the following entry: SRPadmin-compartment_name: (hpux.SRPadmin.compartment_name,compartment_name) For the login service, you should see the following entry: SRPlogin-compartment_name: (hpux.security.compartment.
Tue Oct 14 13:03:11 2008 Sample: CPU scheduler state: Enabled 1 second CPU CPU CPU LCPU PRM Group PRMID Entitle Max Used State ________________________________________________________________________ OTHERS 1 21.88% 3.06% EntDir 2 29.17% 80% 24.10% MktWeb 3 21.88% 45% 12.36% SRP2 4 14.58% 25% 22.88% MktDB 65536 12.50% 12.
For example: ----------------- Configured Host Policy Rule ------------------Rule Name: SRP-web2-base-1 ID: 7 Priority: 30 Src IP Addr: 192.0.2.1 Prefix: 32 Port number: 0 Dst IP Addr: 10.2.2.
Troubleshooting Procedures The following sections contain troubleshooting procedures. Using the Security Containment Compartment Discover Feature In a secure environment, you can use the Security Containment discover feature to remove compartment restrictions and view the rules that are needed to allow access. (If you are not in a secure environment, you can use IPFilter to allow access from only trusted systems before removing compartment restrictions.
Another method to test if IPFilter rules are blocking access to the compartment applications is by disabling the IPFilter module. CAUTION: Enabling or disabling IPFilter briefly brings down all IP interfaces on the system, then brings up all IP interfaces configured in the /etc/rc.config.d/netconf and /etc/ rc.config.d/netconf-ipv6 files. This causes the system to briefly lose network connectivity and removes all dynamically configured IP interfaces.
NOTE: The ITRC resource forums at http://www.itrc.hp.com offer peer-to-peer support to solve problems and are free to users after registration. If this is a new problem or if you need additional help, log your problem with the HP Response Center, either on line through the support case manager at http://www.itrc.hp.com, or by calling HP Support.
13 Customizing SRP Data This chapter describes procedures for customizing SRP data. It addresses the following topics: • “Modifying Provision Scripts” (page 83) • “Modifying Compartment Rule Include Files” (page 83) • “Manually Editing SRP Configuration Data” (page 84) Modifying Provision Scripts A provision script performs the tasks needed to provision or deploy an application in an SRP compartment.
NOTE: Creating an empty Security Compartment rules file for the base template files affects all compartments using this file, including those previously created. This practice is recommended in a highly secure environment to ensure that all compartments use rules that are explicitly configured, and no compartments are using default rules. 3. 4. Determine the minimum set of rules that you need for a compartment and add them to the new file (myCustom.srp_incl in this example).
RBAC and Compartment Login Tag Format Data is stored in files under the /etc/rbac directory. HP recommends that you use RBAC commands (roleadm, authadm, cmdprivadm) to modify RBAC data. SRP identifies RBAC data for the admin service by using the following values: • • • Role name: SRPadmin-compartment_name for the compartment Authorization: hpux.SRPadmin.compartment_name for the compartment Command privilege: hpux.SRPadmin.
SRP indicates the end of the data with the following tag: #@tag-end; IPSec Tag Format IPSec stores configuration data in the IPSec database, /var/adm/ipsec/config.db. To modify the contents of the IPSec database, you must use the ipsec_config utility.
A Product Specifications This appendix contains product specifications. Product Files and Directories The following sections list the files and directories installed with the SRP product. The /opt/hpsrp Directory /opt/hpsrp/bin /opt/hpsrp/bin/util Contains the srp and srp_setup utilities. Contains the following files: apache_setup, Scripts executed by the provision secsh_setup service for the apache and sshd templates. These files are customizable.
/etc/cmpt /etc/prmconf /etc/rbac /etc/rc.config.d/nddconf Directory for Security Containment compartment rules files. Default PRM configuration file. Directory for RBAC configuration database files. This directory contains the following files: • auths • cmd_priv • role_auth • roles • user_role File for transport kernel parameters (SRP modifies this file to enable strong ES). IP configuration files. /etc/rc.config.d/netconf, /etc/rc.config.d/ netconf-ipv6 /etc/opt/ipf/ipf.
B Configuration Example This appendix includes a sample SRP compartment configuration. Sample Base Configuration The following listing shows the data for a compartment created using the base template and the default services. The user configured the IP address 192.0.2.1 for the compartment address and lan1 for the network interface, and accepted the default values for all other variables. The compartment rules file (/etc/cmpt/myCmpt.
//etc/rc.config.d/srpconf: START_SRP[1]=1 Compartment: myCmpt Template: base Service: prm ---------------------------------------------------------------------PRM Configuration (/etc/prmconf): @tag-start compartment="myCmpt" template="base" service="prm" id="1" ; myCmpt:3:10:: #!PRM_MEM:myCmpt:10:::: #!SCOMP:myCmpt:myCmpt Compartment: myCmpt Template: base Service: network ---------------------------------------------------------------------Compartment Configuration (/etc/cmpt/myCmpt.
access ipc, fifo, uxsock init /* ********************************************************************** * no access to anything under root unless otherwise granted ********************************************************************** */ perm nsearch / /* ********************************************************************** * full access directories for application compartments ********************************************************************** */ perm all /dev perm all /etc perm all /home perm all /n
perm perm perm perm perm perm read read read read read read /etc/pam.conf /etc/cmpt /etc/rbac /etc/prmconf /etc/rc.config.d/netconf /etc/rc.config.
Index A -add option for srp, 67 adding an SRP compartment, 67 Oracle configuration data to a compartment, 57 sshd configuration data to a compartment, 61 admin service base template and, 37 administrator SRP compartment, 21 Apache adding to a compartment, 47 autostart, configuring for SRP, 50 configuring SRP compartment for, 47 file paths, configuring for SRP, 48, 49 port numbers, configuring for SRP, 48, 49 user name, configuring for SRP, 49 apache template, 47 cmpt service and, 47 ipfilter service and, 48
srp session, 29 srp_setup, 26 ipsec service base template and, 43 F K files for SRP, 87 key generation for sshd, 63 H L -help option for srp, 70 help text displaying, 70 home directory for SRP compartment, 36 -list option for srp, 71 listener (Oracle) configuring port number for SRP, 58 listing SRP compartment data, 71 SRP compartment names, 71 login group configuring, 41 for SRP compartment, 21 login service base template and, 41 I ifaces compartment description, 18 INIT compartment accessing, 19
sshd template and, 63 R RBAC description, 15 verifying data for, 75 -replace option for srp, 69 replacing configuration data, 69 reporting problems, 80 -Restore option for srp, 72 restoring configuration data, 72 route information SRP configuration of, 40 verifying, 77 S scomp2prm coexistence with SRP, 22 Security Containment description of feature set, 14 version requirement, 23 Security Containment compartment description, 15 discovery feature, 79 testing with the discovery feature, 79 verifying configu
sshd, 61 troubleshooting procedures, 79 U UDP ports configuring IPFilter rules for, 55 V verifying IPFilter configuration data, 77 IPSec configuration data, 77 network configuration data, 77 PRM configuraton data, 76 RBAC configuration data, 75 Security Containment compartment configuration data, 75 status of subsystems, 75 version requirements, 23 Virtual Machine compatibility with SRP, 18 VM compatibility with SRP, 18 vPar compatibility with SRP, 18 96 Index
