Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 7 Compartments

Planning the Compartment Structure


Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

Plan the compartment structure before you begin creating compartment rules.

To plan the compartment structure, answer the following questions:

  • Do you want to isolate different groups of users accessing this system? For example, is this system used by both the accounting department and the human resources department, and must these groups of users be kept separate?

  • Do you want to isolate one network interface on this system, which communicates outside the firewall, from the rest of the system, which communicates only inside the firewall?

  • Does the security policy include requirements or problems that can be solved by using compartments?

  • Does the security policy specify or suggest a specific compartment rules configuration?

When you have answered these questions, use the answers to determine how to assign parts of the system to specific compartments.

Consider the following recommendations when planning the compartment configuration:

  • Put all compartment configuration files in the /etc/cmpt directory.

    You can use the #include directive to create compartment configuration files anywhere on the system. However, HP recommends that you avoid using this option. Instead, keep the compartment configuration files together and easy to locate.

  • Develop a separate compartment configuration for each component of the system.

    Unless there is a defined, specific software dependency between two components, do not mix rules for different components. One component compartment does not contain rules referring to compartments for another component. If you must remove a component, you can modify the compartment configuration more easily if the compartment configurations are kept separate.

  • Create a single compartment configuration file for each software component.

    This enables you to remove the compartment configuration easily if you remove the software from the system. You can also find all rules pertaining to the software component easily.

  • Some software products are shipped with compartment rules already configured. Avoid modifying these rules.

    Before you make modifications to shipped compartment configurations, be sure you understand the existing configuration. Read the documentation for the software product and examine the existing configuration carefully.

CAUTION: Do not redefine the existing INIT compartment. If you attempt to change or redefine the INIT compartment, all automatically generated definitions will be destroyed and compartments will not function properly.
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.