5 Compartments

This chapter describes the compartments feature of HP-UX 11i Security Containment. This chapter addresses the following topics:

“Overview”

“Planning the Compartment Structure”

“Modifying Compartment Configuration”

“Compartment Components”

“Compartment Rules and Syntax”

“Activating Compartments”

“Troubleshooting Compartments”

“Compartments in HP Serviceguard Clusters”

Overview

Compartments are a method of isolating components of a system from one another. When configured properly, they can be an effective method to safeguard your HP-UX system and the data that resides on it.

The compartments feature of the HP-UX Security Containment software enables you to isolate processes, or subjects, from each other and also from resources, or objects.

Conceptually, each process belongs to a compartment, and resources are handled in one of two ways. The resource can be labeled with the compartment of the creating process, for transient resources such as communication endpoints and shared memory. Alternately, resources can be associated with an access list that specifies how processes in different compartments can access them, for persistent resources such as files and directories. That is, processes can access resources or communicate with processes belonging to a different compartment only if a rule exists between those compartments. Processes that belong to the same compartment can communicate with each other and access resources in that compartment without a rule.

Compartments separate subjects from objects. This enables a virtual grouping of related subjects and objects. You can configure your system so that, if a service running in a compartment is compromised, it does not affect services running in other compartments. This restricts any damage to the affected compartment only.

Compartment Architecture

Compartments isolate a process and its child processes within a system. Figure 5-1 “Compartment Architecture” shows a parent process that spawns a number of handler processes that need to access various parts of the system. The compartments on the system are configured so that the processes can access the resources they need.

Overview 57

Page 57
Image 57
HP UX 11i Role-based Access Control (RBAC) Software manual Compartments, Compartment Architecture