HP UX Security Products and Features Software manual 4 api

Page 11

This capability is intended to alleviate a security issue associated with dynamic loading. The user must have root authority to dynamically load, and a WLI administrator key must grant dlkm capability directly or through another authorized key.

1.2.4api

WLI permits an application to execute functions contained within the shared object library /opt/ wli/lib/libwliapi.so by granting api capability. This library provides functions to programmatically create, delete, and update policies described in Section 1.1 (page 9). The key signing the executable that invokes libwliapi.so functions must be granted api capability through wlicert. The executable is not required to have api capability.

The services provided by libwliapi are also provided by the wlipolicy command to users holding an authorized key. For an implementation example using libwliapi, see “libwliapi example” (page 45).

1.2 Capabilities

11

Image 11

Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File lock access controls Security featuresFile access policies Capabilities Identity-based access controls4 api Page WLI architecture Product overviewApplication API CommandsApplications WLI metadata files WLI database3 .$WLISIGNATURE$ Page Generating keys Key usageUser keys Administrator keysInstalling WLI Installing, removing, and upgradingInstallation requirements Removing WLI Upgrading WLI Page Authorizing administrator keys ConfiguringAuthorizing the recovery key Backing up the WLI database Signing DLKMsRebooting to restricted mode Page Creating a Flac policy Enhancing security with WLISigning an executable binary Creating an Ibac policy Removing a file access policyEnabling DLKMs to load during boot # kcmodule ciss=unused # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissWlisign -a -k adminpriv /usr/sbin/kcmodule Loading unsigned DLKMsPage WLI database files Backup and restore considerationsOverview Recommendations Policy protected and metadata filesWrite protected Read/write protected filesMetadata files Flac policiesIbac policies Page WLI database HP Serviceguard considerationsAdministration Policy protected files Lost WLI administrator key or passphrase Troubleshooting and known issuesSoftware distributor issues WLI reinstallation# kcmodule wli=unused # shutdown -r Wlisyspolicy -s mode=maintenance -k adminkeySu root # rm -r /etc/wli # tar -xf /tmp/wlikeydb.tarRelated information Support and other resourcesContacting HP User input Typographic conventionsWebsites Times Page # su wliusr1 # make cleanInstructions # make allIbac add and delete program Flac add and delete programIbac add and delete program Page Administration examples Su root # wlisign -a -k adm1.pvt /usr/bin/tar Wlicert -s -c wli.admin1 -o wmd -k adm1.pvtWlisys -k adm1.pvt -s wmdstoretype=pseudo Tar -vtf tartest.tarBdf mydir Cat /tmp/.$WLIFSPARMS$Bprestore -f backuplist Bpbackup -f backuplistAuthorizing a user key Quick setup examplesConfiguring WLI Authorizing an administrator keyEnabling a Flac policy Testing a Flac policyFlac policies Creating a Flac policyIbac policies Removing an Ibac policy Disabling an Ibac policyASM GlossaryPage Index SymbolsIndex

Related manuals

Manual 130 pages 58.55 Kb