Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
41424344454647484950
Input Data
SRP prompts for the following data. You can also specify a variable name and value in the
command line, as described in “Creating an SRP Compartment or Adding Data to a Compartment”
(page 67).
Unix group for compartment
login
Name of the HP-UX user group whose members are
authorized to log in to the compartment. This group must
already exist in the HP-UX group database (/etc/group).
Variable Name: login_group.
Default: adm.
Configuration Data
The login service controls login access to the compartment using the Security Containment
compartment login feature. It uses RBAC authorizations to allow members of a specified Unix
group to pass PAM authentication in the module pam_hpsec, which controls PAM-enabled
authentication services (used by login, ftp, and other user session services) occurring within
a compartment.
The login service performs the following tasks:
Creates the role SRPlogin-compartment_name. SRP uses the roleadm add command
to perform this task.
Assigns the specified group ID to the SRPlogin-compartment_name role. SRP uses the
roleadm assign command to perform this task.
Assigns the SRPlogin-compartment_name role login authorization (the authorization
hpux.security.compartment.login) for the compartment. SRP uses the authadm
command to perform this task.
The ipfilter Service
The ipfilter service configures HP-UX IPFilter for the compartment. The base SRP IPFilter
configuration allows the following packets to pass:
All outbound packets from the compartment IP address
Inbound TCP, UDP, and ICMP responses to packets sent from the compartment IP address.
All inbound ICMP packets to the compartment IP address.
All other inbound packets are blocked.
You can also configure IPFilter to allow inbound and outbound IPsec packets to pass.
Input Data
SRP prompts for following data. You can also specify a variable name and value in the command
line, as described in “Creating an SRP Compartment or Adding Data to a Compartment” (page 67).
Add IPFilter rules for
IPsec?
Specifies whether or not you want to add IPFilter rules to
allow IPsec packets to pass.
Variable Name: ipf_for_ipsec.
Valid Input: yes or no.
Default: no.
Configuration Data
If the compartment address is an IPv4 address, SRP adds IPFilter rules to the /etc/opt/ipf/
ipf.conf file. If the compartment address is an IPv6 address, SRP adds IPFilter rules to the
/etc/opt/ipf/ipf6.conf file.
42 Using the base Template