HP UX Security Products and Features Software manual Commands, Application API

Page 14

Figure 2-1 WLI architecture

2.1.1 Commands

WLI commands are described in detail through the HP-UX manpage facility on installed platforms, and are not reproduced here. The following briefly describes these commands:

wlipolicy

Manage WLI file access policies

wlisign

Manage WLI signatures on binary executables

wlitool

Sign ELF executable files with or without WLI installed

wliwrap

Run commands with WLI capabilities

wlixfr

Transfer WLI file access policies from one file to another

wliadm

Manage WLI administrator keys

wlicert

Manage WLI user keys and capabilities

wlisys

Manage WLI configuration attributes

wlisyspolicy

Manage WLI security attributes

wlitrace

Unsupported diagnostic tool for HP support personnel only

2.1.1.1 Application API

The shared library /opt/wli/lib/libwliapi.so provides API functions for applications to add, delete, and verify access rights for WLI file access policies. For details on libwliapi functions, see libwliapi(3).

14 Product overview

Page 13 Page 15
Image 14
Page 13 Page 15
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File lock access controls Security featuresFile access policies Identity-based access controls Capabilities4 api Page Product overview WLI architectureCommands Application APIApplications WLI database WLI metadata files3 .$WLISIGNATURE$ Page Key usage Generating keysAdministrator keys User keysInstalling WLI Installing, removing, and upgradingInstallation requirements Removing WLI Upgrading WLI Page Authorizing administrator keys ConfiguringAuthorizing the recovery key Signing DLKMs Backing up the WLI databaseRebooting to restricted mode Page Creating a Flac policy Enhancing security with WLISigning an executable binary Creating an Ibac policy Removing a file access policyEnabling DLKMs to load during boot Loading unsigned DLKMs # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissWlisign -a -k adminpriv /usr/sbin/kcmodule # kcmodule ciss=unusedPage WLI database files Backup and restore considerationsOverview Read/write protected files Policy protected and metadata filesWrite protected RecommendationsMetadata files Flac policiesIbac policies Page WLI database HP Serviceguard considerationsAdministration Policy protected files WLI reinstallation Troubleshooting and known issuesSoftware distributor issues Lost WLI administrator key or passphrase# tar -xf /tmp/wlikeydb.tar Wlisyspolicy -s mode=maintenance -k adminkeySu root # rm -r /etc/wli # kcmodule wli=unused # shutdown -rRelated information Support and other resourcesContacting HP User input Typographic conventionsWebsites Times Page # make all # make cleanInstructions # su wliusr1Flac add and delete program Ibac add and delete programIbac add and delete program Page Administration examples Wlicert -s -c wli.admin1 -o wmd -k adm1.pvt Su root # wlisign -a -k adm1.pvt /usr/bin/tarCat /tmp/.$WLIFSPARMS$ Tar -vtf tartest.tarBdf mydir Wlisys -k adm1.pvt -s wmdstoretype=pseudoBpbackup -f backuplist Bprestore -f backuplistAuthorizing an administrator key Quick setup examplesConfiguring WLI Authorizing a user keyCreating a Flac policy Testing a Flac policyFlac policies Enabling a Flac policyIbac policies Disabling an Ibac policy Removing an Ibac policyGlossary ASMPage Symbols IndexIndex
Top Page Image Contents