Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
81828384858687888990
13 Customizing SRP Data
This chapter describes procedures for customizing SRP data. It addresses the following topics:
“Modifying Provision Scripts” (page 83)
“Modifying Compartment Rule Include Files” (page 83)
“Manually Editing SRP Configuration Data” (page 84)
Modifying Provision Scripts
A provision script performs the tasks needed to provision or deploy an application in an SRP
compartment. These tasks can include copying data from the normal installation directory for
an application to the home directory for the SRP compartment. The srp utility passes selected
srp utility arguments and variables to the provision scripts, such as the compartment name,
compartment IP address, compartment data and execution paths, and other application-specific
variables.
You can modify the provision scripts to add tasks needed to deploy an application. The provision
scripts are as follows:
Apache: /opt/hpsrp/bin/util/apache_setup
SSHD: /opt/hpsrp/bin/util/secsh_setup
Modifying Compartment Rule Include Files
The srp utility uses include files to configure Security Containment compartment rules. There
is an include file for each template type. If you modify the contents of an include file for a template
type, all SRP compartments configured with the cmpt service for that template will use the
modified include file. The include file names have the following format:
/opt/hpsrp/etc/cmpt/template_name.srp_incl
For example, /opt/hpsrp/etc/cmpt/apache.srp_incl.
Securing SRP Compartments with Compartment Rule Include Files
The base template rules file delivered with the product provides a rule set designed to allow
maximum application compatibility while providing restricted access to files that applications
or user sessions do not need to modify or access. To increase the security of your environment,
you can replace this file with a more restrictive rule set tuned to your application requirements
and local security policy.
To create an environment with the minimal compartment access rights, you can use a procedure
such as the following:
1. Make a copy the default base compartment rules file, /opt/hpsrp/etc/cmpt/
base.srp_incl. For example:
# cd /opt/hpsrp/etc/
# cp base.srp_incl myCustom.srp_incl
2. Remove the rules in the original (base.srp_incl) file. This creates an empty Security
Compartment rules file. A compartment that uses only this file for its compartment rule set
will have no access any files, system IPC, or network interfaces.
Modifying Provision Scripts 83