HP UX Security Products and Features Software manual Product overview, WLI architecture

Page 13

2 Product overview

WLI is a security enhancement product that relies on RSA keys and cryptographic algorithms to restrict access to regular files, directories, and certain protected resources. WLI is complementary to the traditional access restrictions imposed by file ownership and permission bits. An executable permitted by WLI to access a file does not bypass permission bit checks, ACLs, or other security mechanisms.

For more detail on WLI commands and files, see the manpages installed with WLI. For a complete list of manpages and more technical information, see wli(5).

In discussions involving RSA, “key” is synonymous with “private key” throughout this document, because a private key holds all key information and the public key is merely a subset.

IMPORTANT: WLI requires OE B.11.31.0909 or later.

For more information, see Section 4.2 (page 21).

IMPORTANT: WLI is supported on VxFS file systems at revision 4.1 or later and on other HP-UX 11iv3 non-VxFS file systems such as HFS.

WLI file access policy enforcement is supported only for regular files and directories residing on HFS, VxFS, and NFS file systems. Some applications access physical storage directly, bypassing the supported file systems. Examples are Oracle ASM and Veritas CFS.

2.1 WLI architecture

For an illustration of WLI architecture, see Figure 2-1 (page 14). WLI commands restrict access to designated files by generating access policies. Some system resources are also restricted. WLI kernel software enforces access restrictions by examining policy information in real time during access requests on files.

2.1 WLI architecture 13

Page 12 Page 14
Image 13
Page 12 Page 14
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File access policies Security featuresFile lock access controls Capabilities Identity-based access controls4 api Page WLI architecture Product overviewApplication API CommandsApplications WLI metadata files WLI database3 .$WLISIGNATURE$ Page Generating keys Key usageUser keys Administrator keysInstallation requirements Installing, removing, and upgradingInstalling WLI Removing WLI Upgrading WLI Page Authorizing the recovery key ConfiguringAuthorizing administrator keys Backing up the WLI database Signing DLKMsRebooting to restricted mode Page Signing an executable binary Enhancing security with WLICreating a Flac policy Enabling DLKMs to load during boot Removing a file access policyCreating an Ibac policy Wlisign -a -k adminpriv /usr/sbin/kcmodule # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissLoading unsigned DLKMs # kcmodule ciss=unusedPage Overview Backup and restore considerationsWLI database files Write protected Policy protected and metadata filesRead/write protected files RecommendationsIbac policies Flac policiesMetadata files Page Administration HP Serviceguard considerationsWLI database Policy protected files Software distributor issues Troubleshooting and known issuesWLI reinstallation Lost WLI administrator key or passphraseSu root # rm -r /etc/wli Wlisyspolicy -s mode=maintenance -k adminkey# tar -xf /tmp/wlikeydb.tar # kcmodule wli=unused # shutdown -rContacting HP Support and other resourcesRelated information Websites Typographic conventionsUser input Times Page Instructions # make clean# make all # su wliusr1Ibac add and delete program Flac add and delete programIbac add and delete program Page Administration examples Su root # wlisign -a -k adm1.pvt /usr/bin/tar Wlicert -s -c wli.admin1 -o wmd -k adm1.pvtBdf mydir Tar -vtf tartest.tarCat /tmp/.$WLIFSPARMS$ Wlisys -k adm1.pvt -s wmdstoretype=pseudoBprestore -f backuplist Bpbackup -f backuplistConfiguring WLI Quick setup examplesAuthorizing an administrator key Authorizing a user keyFlac policies Testing a Flac policyCreating a Flac policy Enabling a Flac policyIbac policies Removing an Ibac policy Disabling an Ibac policyASM GlossaryPage Index SymbolsIndex
Top Page Image Contents