HP UX Security Products and Features Software manual WLI database, WLI metadata files

Page 16

2.1.1.5 File systems

WLI security features are imposed on all directories and regular files that reside in file systems called through the VFS layer.

WLI generates metadata to keep track of its file access policies. Policy metadata might become scattered in files throughout a file system. VxFS (aka JFS) at revision 5.0.1 or later is an exception because metadata can be stored within a named stream. A named stream is associated with a file inode, but is not accessible through the usual open() on the file.

Because a proprietary utility like Symantec NetBackup is required for backing up named streams, the administrator may choose to have metadata stored on files only.

WLI also generates signature metadata for signed executable binaries. For native ELF binaries, the metadata is stored within a special section of the file. PA-RISC binaries are also executable on IA platforms, but their metadata is stored in files similar to policy metadata files.

Special device files within file systems are not affected by WLI with the exception of /dev/mem and /dev/kmem. In restricted mode, access to these files is denied except to applications explicitly granted the mem capability. For more information on WLI capabilities, see “Security features” (page 9) and wli(5).

2.2 WLI database

WLI maintains a set of regular files and directories under /etc/wli. Some files contain configuration data referenced during system boot, and others maintain user and administrator key associations within WLI. These files are installed with WLI or are generated when WLI is initialized, as described in “Configuring” (page 25). WLI prohibits write access to these files in restricted mode. In maintenance mode, the entire database can be read or written without WLI restrictions.

The following directories are under /etc/wli:

/etc/wli/keys

Directory containing password-encrypted administrator

 

private keys, one per file. In maintenance mode, the directory

 

can be read and written. Read/write access is prohibited for

 

all files in this directory in restricted mode.

/etc/wli/certificates

Directory containing public keys authorized for run-time

 

verification of file access policies.

The following files are under /etc/wli:

/etc/wli/wlicert.conf

File mapping WLI capabilities to authorized public keys.

 

For details on content, see wlicert.conf(4). WLI does not

 

permit write access to this file in restricted mode.

/etc/wli/wlisyspolicy.conf

File containing security parameters read into kernel

 

memory early in the HP-UX boot process. For details on

 

content, see wlisys(1M) and wlisyspolicy(1M).

/etc/wli/wlisys.conf

File containing initialization parameters for WLI kernel

 

components. For details on content, see wlisys(1M).

2.3 WLI metadata files

WLI generates at least one metadata file. The number of metadata files generated depends on file system version, value of the wmdstoretype attribute, and file system type.

The following sections describe the metadata file types. All metadata file types have WLI write protection in restricted mode. To override WLI protection for file backup, see Section 1.2.2 (page 10).

16 Product overview

Page 15 Page 17
Image 16
Page 15 Page 17
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File access policies Security featuresFile lock access controls Identity-based access controls Capabilities4 api Page Product overview WLI architectureCommands Application APIApplications WLI database WLI metadata files3 .$WLISIGNATURE$ Page Key usage Generating keysAdministrator keys User keysInstallation requirements Installing, removing, and upgradingInstalling WLI Removing WLI Upgrading WLI Page Authorizing the recovery key ConfiguringAuthorizing administrator keys Signing DLKMs Backing up the WLI databaseRebooting to restricted mode Page Signing an executable binary Enhancing security with WLICreating a Flac policy Enabling DLKMs to load during boot Removing a file access policyCreating an Ibac policy # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/ciss Wlisign -a -k adminpriv /usr/sbin/kcmoduleLoading unsigned DLKMs # kcmodule ciss=unusedPage Overview Backup and restore considerationsWLI database files Policy protected and metadata files Write protectedRead/write protected files RecommendationsIbac policies Flac policiesMetadata files Page Administration HP Serviceguard considerationsWLI database Policy protected files Troubleshooting and known issues Software distributor issuesWLI reinstallation Lost WLI administrator key or passphraseWlisyspolicy -s mode=maintenance -k adminkey Su root # rm -r /etc/wli# tar -xf /tmp/wlikeydb.tar # kcmodule wli=unused # shutdown -rContacting HP Support and other resourcesRelated information Websites Typographic conventionsUser input Times Page # make clean Instructions# make all # su wliusr1Flac add and delete program Ibac add and delete programIbac add and delete program Page Administration examples Wlicert -s -c wli.admin1 -o wmd -k adm1.pvt Su root # wlisign -a -k adm1.pvt /usr/bin/tarTar -vtf tartest.tar Bdf mydirCat /tmp/.$WLIFSPARMS$ Wlisys -k adm1.pvt -s wmdstoretype=pseudoBpbackup -f backuplist Bprestore -f backuplistQuick setup examples Configuring WLIAuthorizing an administrator key Authorizing a user keyTesting a Flac policy Flac policiesCreating a Flac policy Enabling a Flac policyIbac policies Disabling an Ibac policy Removing an Ibac policyGlossary ASMPage Symbols IndexIndex
Top Page Image Contents