Archive for the ‘SRP’ Category

Jun 1st notebook

Strong ES Model:::::: When Strong ES Model enabled, a system can not act as an IP router. And drops incoming IP packets with destination IP addresses that do not match the interface address. Outbound IP packets must use the interface address as the source IP address.


SRP local compartment state can grep from the file::::::/var/opt/hpsrp/state/srpname


To enable additional users for INIT compartment login:::::

>roleadm assign <usrname> SRPlogin-init

To enable additional groups for INIT compartment login::::::

>roleadm assign “&<group_name>” SRPlogin-init


To allow additional users to use the srp_su command, following these steps::::::

  • Create one new hpux.security.srp_su authorization per system:::authadm add hpux.security.srp_su
  • Create a new role per SRP:::roleadm add newRole
  • Assign the hpux.security.srp_su authorization to one role per SRP:::authadm assign newRole hpux.security.srp_su “srp_name”
  • Assign a role to each user:::roleadm assign user_name newRole

Read Full Post »

Unix Chroot tech

Chroot is a Unix system call that is often used to provide an additional layer of security when untrusted programs are running.

The Kernel on Unix varients which support chroot maintain a note of the root directory each process on the system.

Generally is “/”, but this can change using chroot.

To change root directory of program /foo/bar, just run the following code lines:




The chroot prevents malicious programs from accessing the real root file system, providing an added measure of security

for the web server and Directory server processes that power Identity server.

Read Full Post »

PRM Note

PRM is a resource management tool used to control the amount of resources that processes use during peak system load(100% CPU or 100% Memory)

PRM group is a collection of users and applications that joined together and assigned certain amounts of CPU and Memory, there are two types of PRM group::::::FSS PRM groups and PSET PRM groups.

  • FSS PRM groups:::Resource entitlement is specified in shares, using Fair Share Scheduler in HPUX with system default processor set
  • PSET PRM group:::Resource entitlement is specified by a subset of the system’s cores. Processes in a PSET have equal access to CPU cycles on their assigned cores through HPUX standard scheduler.

Processor sets are a way of allocating dedicated CPU resources to designated applications and users.

Read Full Post »

Apr 26th notebook — RBAC

Constrains that limit access to resources usually fit into 3 categories:

  • Subject: The entity attempting to access the resource, under OS usually is a user or a process associated with a user
  • Operation: An action performed on a resource, under OS usually is an application or a command — hpux.user.add
  • Object: The target of the operation


RBAC addresses these issues by grouping users with common authorization needs into roles.

Example operation after invoking privrun:::::


Three steps to deploy RBAC::::::

  1. Plan  roles for users
  2. Plan authorizations for the roles
  3. Plan the authorization to command mappings

Three steps to configure RBAC:::::::

  1. Configure the roles::::::: roleadm to manage roles under HPUX, add/delete/modify/assign/revoke/list…
  2. Configure the authorizations::::::: authadm to manage authorizations under HPUX, add/delete/assign/revoke/list…
  3. Configure any additional commands:::::: cmdprivadm to edit a command’s authorization and privilege information, add/delete…


RBAC can also use compartments to configure applications to run in a particular compartment.

Use only cmdprivadm command to configure compartments for commands, do not edit the /etc/rbac/cmd_priv directly, to update,

first delete the entry and then add the updated version back in.

Read Full Post »

Apr 23rd notebook — ADMIN

Compartment uses four kinds of configuration rules:

  • file system rules
  • IPC rules
  • network rules
  • miscellaneous rules

There are two kinds of rules: subject-centric or object-centric

Admins can use last command to read the file /var/adm/wtmp to check if any illegal user try to login

Admins can use who -u to list the currently logged on user

HPUX Authentication Modules Under PAM subsystem.

User could use passwd -l user to lock of forbid user.

Admin could use last -R to check abnormal super user log on.

Read Full Post »