Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
81828384858687888990
81
16 Customizing SRP Data
This chapter describes procedures for customizing SRP data. It addresses the following topics:
16.1 Modifying Provision Scripts
16.2 Modifying Compartment Rule Include Files
16.3 Manually Editing SRP Configuration Data
NOTE: You should run the system administration and performance tools (for example: glance, gpm,
kprof, kgmon, ktrace, and caliper) in the INIT compartment
16.1 Modifying Provision Scripts
A provision script performs the tasks needed to provision or deploy an application in an SRP
compartment. These tasks can include copying data from an application's normal installation
directory to the home directory for the SRP compartment. The srp utility passes selected srp utility
arguments and variables to the provision scripts, such as the srp operation, the compartment name,
compartment IP address, compartment data and execution paths, and other application-specific
variables.
You can modify the provision scripts to add tasks needed to deploy an application. The provision
scripts provided with SRP are:
apache: /opt/hpsrp/bin/util/apache_setup
tomcat:/opt/hpsrp/bin/util/tomcat_setup
ssh: /opt/hpsrp/bin/util/secsh_setup
Custom: provided as an input variable
16.2 Modifying Compartment Rule Include Files
The srp utility uses include files to configure Security Containment compartment rules. There is an
include file for each template. If you modify the contents of an include file for a template, all SRP
compartments configured with the cmpt service for that template will use the modified include file.
The include file names have the following format:
/opt/hpsrp/etc/cmpt/template_name.srp_incl
For example, /opt/hpsrp/etc/cmpt/apache.srp_incl.
16.2.1 Securing SRP Compartments with Compartment Rule Include Files
The base template rules file delivered with the product provides a rule set designed to allow maximum
application compatibility while providing restricted access to files not needed to be modified or
accessed by applications or user sessions. To increase the security of your environment, you can
replace this file with a more restrictive rule set tuned to your application requirements and local
security policy.
To create an environment with the minimal compartment access rights, you can use a procedure such
as the following:
1. Make a copy the default base compartment rules file,
/opt/hpsrp/etc/cmpt/base.srp_incl. For example:
# cd /opt/hpsrp/etc/