Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
41424344454647484950
47
8.1.6.1 Input Data
SRP prompts for the following data. You can also specify a variable name and value in the command
line, as described in 15.1 Creating an SRP Compartment or Adding Data to an SRP.
Unix groups for
compartment login
Name of the HP-UX user groups separated by “,” whose members are
authorized to log in to the SRP compartment. These groups must already
exist in a HP-UX groups database (such as /etc/group).
Variable Name: login_group.
Default: adm.
Unix users for
compartment login
Name of the HP-UX users separated by “,” authorized to log in to the SRP
compartment. These users must already exist in an HP-UX users database
(such as /etc/password).
Variable Name: login_user.
Default:
None
.
8.1.6.2 Configuration Data
The login service controls login access to the compartment using the Security Containment
compartment login feature. It uses RBAC authorizations to allow specified Unix users and group
members to pass PAM authentication in the module pam_hpsec, which controls PAM-enabled
authentication services (used by login, ftp, and other user session services) occurring within the
SRP compartment.
The login service performs the following tasks:
Creates the role SRPlogin-srp_name. SRP uses the roleadm add command to perform
this task.
Assigns the specified user or group ID to the SRPlogin-srp_name role. SRP uses the
roleadm assign command to perform this task.
Assigns the SRPlogin-srp_name role login authorization (the authorization
hpux.security.compartment.login) for the compartment. SRP uses the authadm
command to perform this task.
8.1.7 The ipfilter Service
The ipfilter service configures HP-UX IPFilter for the compartment. The base SRP IPFilter
configuration allows the following packets to pass:
All outbound packets from the compartment IP address
Inbound TCP, UDP, and ICMP responses to packets sent from the compartment IP address.
All inbound ICMP packets to the compartment IP address.
All other inbound packets are blocked.
You can also configure IPFilter to allow inbound and outbound IPsec packets to pass.
8.1.7.1 Input Data
SRP prompts for the following data. You can also specify a variable name and value in the command
line, as described in 15.1 Creating an SRP Compartment or Adding Data to an SRP.
Add IPFilter rules for
IPsec?
Specifies whether or not you want to add IPFilter rules to
allow IPsec
packets to pass.
Variable Name:
ipf_for_ipsec
.