Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
71727374757677787980
12 Verifying and Troubleshooting SRP
This chapter contains procedures for verifying and troubleshooting SRP. This chapter addresses
the following topics:
“Verification Procedures” (page 75)
“Troubleshooting Procedures” (page 79)
“Reporting Problems ” (page 80)
Verification Procedures
The following sections contain procedures to verify the subsystem data configured by SRP.
Verifying SRP Subsystems
You can use the srp_setup utility to quickly verify the status of the subsystems with data
managed by SRP.
Verifying Security Containment Compartment Data
Use the following procedures to verify Security Containment Compartment configuration data:
Verify that the compartment rules are loaded into the kernel.
Enter the following command:
getrules -m compartment_name
Manually test the file access rules.
Login to the SRP compartment and attempt file access operations that should succeed or
fail, such as cd and touch commands for files not available from the SRP. From the INIT
compartment, you can create a temporary file in a directory for which the SRP compartment
does not have ulink (delete) access. Login to the SRP compartment and attempt to delete
the file.
Verify that the processes configured for the SRP compartment are running in the
compartment.
Use the ps -ef command to find the PID for applications in your SRP compartment. For
example:
# ps -ef | grep sshd
root 968 1 0 Oct 14 ? 0:00 /usr/sbin/sshd
Use the getprocxsec -c pid command to verify the compartment in which the process
is running. For example:
# getprocxsec -c 968
cmpt= SRP2
If an application is failing in a compartment and you want to determine if the failure is
caused by Security Containment rules, you can use the HP-UX audit utility to configure and
view audit entries to see if operations are failing because of permission problems.
One method to reduce the number of unrelated audit entries is to disable auditing for all
users, then enable auditing for the user ID used to execute the application. Next, configure
auditing for failed attempts for common file and IPC operations. For example:
audevent -F -e open -e create -e delete -e ipccreat -e ipcopen \
-e ipcclose -s kill
Verifying RBAC Data
Use the following procedures to verify RBAC configuration data:
Verification Procedures 75