Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
81828384858687888990
89
Use the getprocxsec -c pid command to verify the compartment in which the process is
running. For example:
# getprocxsec -c 968
cmpt= SRP2
If an application is failing in a compartment and you want to determine if it is failing because
of Security Containment rules, you can use the HP-UX audit utility to configure and view audit
to see if operations are failing because of permission problems.
One method to reduce the number of unrelated audit entries is to disable auditing for all
users, then enable auditing for the user ID used to execute the application. Next, configure
auditing for failed attempts for common file and IPC operations. For example:
audevent -F -e open -e create -e delete -e ipccreat -e ipcopen \
-e ipcclose -s kill
17.1.3 Verifying RBAC Data
Use the following procedures to verify RBAC configuration data:
Use the authadm command to verify the authorization information configured for the
compartment:
authadmlist list object=compartment_name
For the admin service, you should see the following entry:
SRPadmin-compartment_name: (hpux.SRPadmin.compartment_name,
compartment_name)
For the login service, you should see the following entry:
SRPlogin-compartment_name: (hpux.security.compartment.login,
compartment_name)
Alternatively, you can enter the following commands to view the authorization information:
authadm list operation=hpux.SRPadmin.compartment_name
authadm list operation=hpux.security.compartment.login \
object=compartment_name
To verify the users and user groups assigned to the roles used by the compartment, enter the
following commands:
roleadm list role=SRPadmin-compartment_name
roleadm list role=SRPlogin-compartment_name
To verify command privileges, view the /etc/rbac/cmd_priv file. If you configured the
init service for a compartment, you will see an entry authorizing execution of the srp_rc
script for an authorization granted to the compartment administrator as follows:
/opt/hpsrp/bin/util/srp_rc:dflt:(hpux.SRPadmin.compartment_name,*):
0/0//:compartment_name:dflt:dflt
You can also use the rbacdbchk utility to verify the contents of the RBAC database.
17.1.4 Verifying PRM Data
Use the prmlist and prmmonitor commands to verify that the PRM configuration is loaded for the
group used by the SRP compartment (the default PRM group name is the SRP compartment name).