Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
81828384858687888990
NOTE: Creating an empty Security Compartment rules file for the base template files
affects all compartments using this file, including those previously created. This practice is
recommended in a highly secure environment to ensure that all compartments use rules
that are explicitly configured, and no compartments are using default rules.
3. Determine the minimum set of rules that you need for a compartment and add them to the
new file (myCustom.srp_incl in this example). For more information on creating a
deployment-specific compartment rules set, see HP-UX System Administrator's Guide: Security
Management: HP-UX 11i Version 3.
4. Use the custom template to associate this new rules file to compartments requiring the
specified access. For example:
# srp -a myCmpt -template custom -id myID
When srp prompts for Compartment rule files, enter the name of the new file (/opt/
hpsrp/etc/myCustom.srp_incl in this example)
Manually Editing SRP Configuration Data
SRP marks the data it adds to subsystem configuration files and databases with tags, or text-string
identifiers. SRP uses these tags when selecting data for SRP replace and delete operations.
You can use these tags to identify and manually edit SRP configuration data and still use SRP
replace and delete operations to manage this data if you retain the tag information.
A quick way to identify configuration data managed by SRP is by using the following command:
srp -l compartment_name -v
Tag Formats
The general format for most tags that indicate the start of SRP data is as follows:
@tag-start 'compartment="compartment_name" template="template_name"
service="service_name" id="instance";
Where:
compartment_name
Specifies the SRP compartment name.
template
Specifies the name of the template used to configure the data
service
Specifies the service name.
instance
An string used to identify an instance of a service applied to a
compartment. This field is meaningful only with the custom template,
which allows you to create multiple instances of service data for the
same template and compartment. For all other templates, the string is
always 1.
The specific tag format for each subsystem in described in the sections that follow.
Security Containment Compartment Tag Format
Data is stored in the /etc/cmpt/compartment_name.rules file by default. When SRP adds
data, it indicates the start of the data with the following tag:
//@tag-start 'compartment="compartment_name" template="template_name"
service="cmpt" id="instance";
SRP indicates the end of the data with the following tag:
//@tag-end;
84 Customizing SRP Data