Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP) Software
71727374757677787980
78
14 Customizing SRP Data
This chapter describes procedures for customizing SRP data. It addresses the following topics:
14.1 Modifying Provision Scripts
14.2 Modifying Compartment Rule Include Files
14.3 Manually Editing SRP Configuration Data
NOTE: You should run the system administration and performance tools (for example: glance, gpm,
kprof, kgmon, ktrace, and caliper) in the INIT compartment
14.1 Modifying Provision Scripts
A provision script performs the tasks needed to provision or deploy an application in an SRP
compartment. These tasks can include copying data from an application's normal installation
directory to the home directory for the SRP compartment. The srp utility passes selected srp utility
arguments and variables to the provision scripts, such as the srp operation, the compartment name,
compartment IP address, compartment data and execution paths, and other application-specific
variables.
You can modify the provision scripts to add tasks needed to deploy an application. The provision
scripts are as follows:
apache: /opt/hpsrp/bin/util/apache_setup
tomcat:/opt/hpsrp/bin/util/tomcat_setup
ssh: /opt/hpsrp/bin/util/secsh_setup
Custom: provided as an input variable
14.2 Modifying Compartment Rule Include Files
The srp utility uses include files to configure Security Containment compartment rules. There is an
include file for each template type. If you modify the contents of an include file for a template type, all
SRP compartments configured with the cmpt service for that template will use the modified include
file. The include file names have the following format:
/opt/hpsrp/etc/cmpt/template_name.srp_incl
For example, /opt/hpsrp/etc/cmpt/apache.srp_incl.
14.2.1 Securing SRP Compartments with Compartment Rule Include Files
The base template rules file delivered with the product provides a rule set designed to allow maximum
application compatibility while providing restricted access to files not needed to be modified or
accessed by applications or user sessions. To increase the security of your environment, you can
replace this file with a more restrictive rule set tuned to your application requirements and local
security policy.
To create an environment with the minimal compartment access rights, you can use a procedure such
as the following:
1. Make a copy the default base compartment rules file,
/opt/hpsrp/etc/cmpt/base.srp_incl. For example:
# cd /opt/hpsrp/etc/