HP UX Security Products and Features Software manual Applications

Page 15

The ability to execute functions within this library is a resource protected by WLI. As with other resources protected by WLI, access must explicitly be granted through WLI using authorized RSA keys.

2.1.1.2 Applications

Enforcement of WLI file access policies and resource restrictions is imposed on all applications and commands. Application binaries and files have no requirements for modification or relinking.

A user may restrict application access to local files and directories through WLI commands. Applications are permitted access to files and resources protected by WLI through WLI commands.

When the WLI security mode is restricted, access policies on all local regular files and directories are enforced. All user applications, including those invoked by root user (uid 0), are not permitted to override access restrictions imposed by WLI.

WLI also provides the security mode maintenance. This mode is unsecure and only recommended when the system is inaccessible to all but administration personnel. WLI policy enforcement and resource protection are not enabled in this mode.

WLI uses FIPS 140-2 certified OpenSSL 1.1.2 archive libcrypto.a, based on OpenSSL A.00.09.07m. This archive is stored at /opt/openssl/fips/0.9.7/lib/hpux64/ libcrypto.a when included with an OpenSSL version such as A.00.09.08l.003. For more information about FIPS 140-2 (Federal Information Processing Standard 140-2), see http:// www.openssl.org/docs/fips.

Because functions from this archive are statically linked into WLI commands, the archive is not required to be present on platforms where WLI is installed. WLI uses libcrypto.a functions to parse RSA key files generated by all OpenSSL versions. The OpenSSL license is stored at /opt/ wli/OpenSSL.LICENSE as part of the WLI installation.

2.1.1.3 Stackable file system module

The HP-UX Stackable File System allows modification of the kernel file system stack through inclusion of one or more executable modules that conform to the VFS interface. A module can be inserted into the file system stack between the VFS layer and one or more file system type modules such as VxFS (JFS) or HFS.

Modifing existing filesystem type modules is not necessary; the kernel is relinked and rebooted. When the relinked kernel becomes active, the inserted module becomes a component in the file system stack.

When WLI installs, its file system module is inserted between VFS and the local file system type modules that handle local data storage. When a file is opened by an application for read or write access, the WLI file system module causes the open() to fail if a WLI policy on the file would be violated.

2.1.1.4 Policy enforcement manager

This component enforces WLI file access rules. Only the following access policy types are provided:

A FLAC policy limits access to a specific WLI-signed binary executable.

An IBAC policy limits access to a designated set of executables.

A WLI administrator key may also allow access to specific system resources protected by WLI, such as the /dev/mem and /dev/kmem special files.

WLI maintains a database of file access policies and resource restrictions generated by users and administrators. This database is referenced by the Policy Enforcement Manager from within the kernel domain. The Policy Enforcement Manager is called by the WLI file system module to determine if a restriction imposed by WLI should prevent access.

2.1 WLI architecture 15

Image 15
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page Security features File access policiesFile lock access controls Capabilities Identity-based access controls4 api Page WLI architecture Product overviewApplication API CommandsApplications WLI metadata files WLI database3 .$WLISIGNATURE$ Page Generating keys Key usageUser keys Administrator keysInstalling, removing, and upgrading Installation requirementsInstalling WLI Removing WLI Upgrading WLI Page Configuring Authorizing the recovery keyAuthorizing administrator keys Backing up the WLI database Signing DLKMsRebooting to restricted mode Page Enhancing security with WLI Signing an executable binaryCreating a Flac policy Removing a file access policy Enabling DLKMs to load during bootCreating an Ibac policy # kcmodule ciss=unused # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissWlisign -a -k adminpriv /usr/sbin/kcmodule Loading unsigned DLKMsPage Backup and restore considerations OverviewWLI database files Recommendations Policy protected and metadata filesWrite protected Read/write protected filesFlac policies Ibac policiesMetadata files Page HP Serviceguard considerations AdministrationWLI database Policy protected files Lost WLI administrator key or passphrase Troubleshooting and known issuesSoftware distributor issues WLI reinstallation# kcmodule wli=unused # shutdown -r Wlisyspolicy -s mode=maintenance -k adminkeySu root # rm -r /etc/wli # tar -xf /tmp/wlikeydb.tarSupport and other resources Contacting HPRelated information Typographic conventions WebsitesUser input Times Page # su wliusr1 # make cleanInstructions # make allIbac add and delete program Flac add and delete programIbac add and delete program Page Administration examples Su root # wlisign -a -k adm1.pvt /usr/bin/tar Wlicert -s -c wli.admin1 -o wmd -k adm1.pvtWlisys -k adm1.pvt -s wmdstoretype=pseudo Tar -vtf tartest.tarBdf mydir Cat /tmp/.$WLIFSPARMS$Bprestore -f backuplist Bpbackup -f backuplistAuthorizing a user key Quick setup examplesConfiguring WLI Authorizing an administrator keyEnabling a Flac policy Testing a Flac policyFlac policies Creating a Flac policyIbac policies Removing an Ibac policy Disabling an Ibac policyASM GlossaryPage Index SymbolsIndex
Related manuals
Manual 130 pages 58.55 Kb