Planning the Compartment Structure

Do you want to isolate different groups of users accessing this system? For example, is this system used by both the accounting department and the human resources department, and must these groups of users be kept separate?

Do you want to isolate one network interface on this system, which communicates outside the firewall, from the rest of the system, which communicates only inside the firewall?

Does the security policy include requirements or problems that can be solved by using compartments?

Does the security policy specify or suggest a specific compartment rules configuration?

Put all compartment configuration files in the /etc/cmpt directory.

You can use the #include directive to create compartment configuration files anywhere on the system. However, HP recommends that you avoid using this option. Instead, keep the compartment configuration files together and easy to locate.

Develop a separate compartment configuration for each component of the system.

Unless there is a defined, specific software dependency between two components, do not mix rules for different components. One component compartment does not contain rules referring to compartments for another component. If you must remove a component, you can modify the compartment configuration more easily if the compartment configurations are kept separate.

Create a single compartment configuration file for each software component.

This enables you to remove the compartment configuration easily if you remove the software from the system. You can also find all rules pertaining to the software component easily.

Some software products are shipped with compartment rules already configured. Avoid modifying these rules.

Before you make modifications to shipped compartment configurations, be sure you understand the existing configuration. Read the documentation for the software product and examine the existing configuration carefully.