HP-UX Secure Resource Partitions (SRP) A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)

You can use the login service to grant non-root users the authorization to log in to the compartment.

6.1.6.1 Input Data

SRP prompts for the following data. You can also specify a variable name and value in the command

line, as described in

13.1 Creating an SRP Compartment or Adding Data to a Compartment.

Unix groups for

compartment login

Name of the HP-UX user groups separated by “,” whose members are

authorized to log in to the SRP compartment. These groups must already

exist in a HP-UX groups database (such as /etc/group).

Variable Name: login_group.

Default: adm.

Unix users for

compartment login

Name of the HP-UX users separated by “,” authorized to log in to the SRP

compartment. These users must already exist in a HP-UX users database

(such as /etc/password).

Variable Name: login_user.

Default:

None

6.1.6.2 Configuration Data

The login service controls login access to the compartment using the Security Containment

compartment login feature. It uses RBAC authorizations to allow specified Unix users and group

members to pass PAM authentication in the module pam_hpsec, which controls PAM-enabled

authentication services (used by login, ftp, and other user session services) occurring within the

SRP compartment.

The login service performs the following tasks:

• Creates the role SRPlogin-compartment_name. SRP uses the roleadm add command

to perform this task.

• Assigns the specified group ID to the SRPlogin-compartment_name role. SRP uses the

roleadm assign command to perform this task.

• Assigns the SRPlogin-compartment_name role login authorization (the authorization

hpux.security.compartment.login) for the compartment. SRP uses the authadm

command to perform this task.

6.1.7 The ipfilter Service

The ipfilter service configures HP-UX IPFilter for the compartment. The base SRP IPFilter

configuration allows the following packets to pass:

• All outbound packets from the compartment IP address

• Inbound TCP, UDP, and ICMP responses to packets sent from the compartment IP address.

• All inbound ICMP packets to the compartment IP address.

All other inbound packets are blocked.

You can also configure IPFilter to allow inbound and outbound IPsec packets to pass.

6.1.7.1 Input Data

SRP prompts for the following data. You can also specify a variable name and value in the command

line, as described in

13.1 Creating an SRP Compartment or Adding Data to a Compartment.

Add IPFilter rules for

IPsec?

Specifies whether or not you want to add IPFilter rules to allow IPsec

packets to pass.