Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
71727374757677787980
79
# cp base.srp_incl myCustom.srp_incl
2. Remove the rules in the original (base.srp_incl) file. This creates an empty Security
Compartment rules file. A compartment that uses only this file for its compartment rule set will
have no access any files, system IPC, or network interfaces.
NOTE: Creating an empty Security Compartment rules file for the base template files affects
all compartments using this file, including those previously created. This practice is
recommended in a highly secure environment to ensure that all compartments are specifically
configured, and no compartments are continuing to execute with default rules.
3. Determine the minimum set of rules that you need for a compartment and add them to the
new file (myCustom.srp_incl in this example). For more information on creating a
deployment-specific compartment rules set, see HP-UX System Administrator's Guide: Security
Management: HP-UX 11i Version 3.
4. Use the custom template to associate this new rules file to compartments requiring the
specified access. For example:
# srp -a mySRP -template custom -id myID
When srp prompts for Compartment rule files, enter the name of the new file
(/opt/hpsrp/etc/myCustom.srp_incl in this example)
14.3 Manually Editing SRP Configuration Data
SRP marks the data it adds to subsystem configuration files and databases with tags, or text-string
identifiers. SRP uses these tags when selecting data for SRP replace and delete operations.
You can use these tags to identify and manually edit SRP configuration data and still use SRP replace
and delete operations to manage this data if you retain the tag information.
A quick way to identify configuration data managed by SRP is by using the following command:
srp -l compartment_name -v
14.3.1 Tag Formats
The general format for most tags that indicate the start of SRP data is as follows:
@tag-start 'compartment="compartment_name" template="template_name"
service="service_name" id="version";
Where:
compartment_name
Specifies the SRP compartment name.
template
Specifies the name of the template used to configure the data
service
Specifies the service name.
version
An string used to identify an instance of a service applied to a
compartment. This field is meaningful only with the custom template,
which allows you to create multiple instances of service data for the same
template and compartment. For all other templates, the string is always 1.