Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
101102103104105106107108109110
6 Compartments
This chapter describes the compartments feature of HP-UX 11i v3. This chapter addresses
the following topics:
Overview (Section 6.1)
Planning the compartment structure (Section 6.2)
Compartment components (Section 6.3)
Compartment rules and syntax (Section 6.4)
Configuring a compartment (Section 6.5)
Troubleshooting compartments (Section 6.6)
Using discover mode to generate initial compartment configuration (Section 6.7)
Compartments in HP Servicegard Clusters (Section 6.8)
6.1 Overview
Compartments are a method of isolating components of a system from one another.
When configured properly, they can be an effective method to safeguard the HP-UX
system and the data that resides on it.
Compartments allow you to isolate processes, or subjects, from each other and also from
resources, or objects.
Conceptually, each process belongs to a compartment, and resources are handled in
one of two ways:
1. The resource is labeled with the compartment of the creating process. This is how
transient resources, such as communication endpoints and shared memory, are
assigned a compartment.
2. Resources can be associated with an access list that specifies how processes in
different compartments can access them, for persistent resources such as files and
directories. That is, processes can access resources or communicate with processes
belonging to a different compartment only if a rule exists between those
compartments. Processes that belong to the same compartment can communicate
with each other and access resources in that compartment without a rule.
Compartments separate subjects from objects. This enables a virtual grouping of related
subjects and objects. You can configure the system so that, if a service running in a
compartment is compromised, it does not affect services running in other compartments.
This restricts any damage to the affected compartment only.
6.1.1 Compartment Architecture
Compartments isolate a process and its child processes within a system. Figure 6-1 shows
a parent process that spawns a number of handler processes that need to access various
6.1 Overview 109