Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
111112113114115116117118119120
The handler processes can communicate with the parent process, and with the
recorder using IPC and signals.
The network is isolated from the recorder and the parent process.
This compartment configuration provides security for the file system and the recorder.
Both are isolated by their compartments. Though the handler processes can communicate
with the network, the network cannot be accessed by the recorder or the parent process.
6.1.2 Default Compartment Configuration
When you enable compartments, a default compartment named INIT is created. When
you boot up the system, the init process belongs to this compartment. The INIT
compartment is defined to have access to all other compartments and is not defined in
a compartment rules file.
IMPORTANT: If you redefine the INIT compartment by creating explicit rules in a rules
file, all special characteristics of the compartment are lost and cannot be restored without
rebooting the system.
6.2 Planning the Compartment Structure
Plan the compartment structure before you begin creating compartment rules.
To plan the compartment structure, answer the following questions:
Do you want to isolate different groups of users accessing this system? For example,
is this system used by both the accounting department and the human resources
department, and must these groups of users be kept separate?
Do you want to isolate one network interface on this system, which communicates
outside the firewall, from the rest of the system, which communicates only inside the
firewall?
Does the security policy include requirements or problems that can be solved by
using compartments?
Does the security policy specify or suggest a specific compartment rules configuration?
When you have answered these questions, use the answers to determine how to assign
parts of the system to specific compartments.
Consider the following recommendations when planning the compartment configuration:
Put all compartment configuration files in the /etc/cmpt directory.
You can use the #include directive to create compartment configuration files
anywhere on the system. However, HP recommends that you avoid using this option.
Instead, keep the compartment configuration files together and easy to locate.
Develop a separate compartment configuration for each component of the system.
Unless there is a defined, specific software dependency between two components,
do not mix rules for different components. One component compartment does not
6.2 Planning the Compartment Structure 111