Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
11121314151617181920
Security Containment Compartments
A Security Containment compartment is an environment with an isolated file directory
structure, isolated IPC, and isolated networking I/O for the processes and users in the
compartment. If a process in a compartment is compromised, it cannot damage other parts
of the system because it is isolated by the compartment configuration.
HP-UX Role-Based Access Control (RBAC)
HP-UX Role-based Access Control (RBAC) is an alternative to the traditional "all-or-nothing"
root user model, which grants permissions to the root user for all operations and denies
permissions to non-root users for certain operations.
RBAC checks if an entity (such as a user or process) has the proper authorization value to
perform an operation on a system resource. With RBAC, you can configure specific users
to have access to specific resources such as files and executables. You can also configure the
type of access allowed. For example, you can use RBAC so that only specific users can execute
a given utility.
The RBAC configuration structure assigns authorization values to roles and assigns users
(or subjects, which can also be executables) to roles. This structure enables you to assign a
user to multiple roles, which permits a user to have multiple authorization values. This also
enables you to configure users that share some authorization values but not necessarily
share all of the same authorization values.
Compartment Login
The compartment login feature enables you to control which compartment a user is allowed
to log in to and which users are allowed to log in to a compartment. For example, you can
configure the system so that only specific users can login to a given compartment.
The compartment login feature is often used with a remote login service such as HP-UX
Secure Shell (SSH) to create a restricted environment for remote users.
You can configure all three of the Security Containment components to work together. For
example, you can create a Security Containment compartment, cmpt1, with limited file access.
You then define a role with the RBAC authorization to log in to cmpt1, and assign the user
user1 to that role. This enables you to configure the system so that user1 can log in only to
cmpt1 and access only the files available to cmpt1. You can also use RBAC to configure the
system so that an executable can run in only cmpt1. These security restriction are examples of
only a small subset of the restrictions and conditions you can configure using HP-UX Security
Containment. For more information, see HP-UX System Administrator's Guide: Security Management:
HP-UX 11i Version 3.
HP Process Resource Manager (PRM)
HP Process Resource Manager (PRM) manages processor and memory allocation and enables
you to configure dedicated resources for an SRP compartment. PRM can guarantee a minimum
allocation of system resources available to a set of users and applications joined in a PRM group.
Each PRM group is allocated certain amounts of system resources, including CPU bandwidth,
core processors, and memory, and disk bandwidth.
IP Interfaces
You can use SRP to create an IP interface for exclusive use by the compartment. You do not have
to use a dedicated network interface card for this IP interface; you can create a logical IP interface
on a network interface card.
An SRP compartment can also use an IP interface that is already in use by the system if it is not
assigned to another compartment.
Product Overview 15