HP UX Security Products and Features Software manual 3 .$WLISIGNATURE$

Page 17

2.3.1.$WLI_FSPARMS$

These metadata files are regular files containing metadata storage types for the file system where they reside. This file always appears in the root directory of a file system that also contains WLI metadata. The metadata storage type is indicated by the wmdstoretype parameter. For details, see wlisys(1M). The following storage types are available:

auto

If the file system is VxFS at revision 5.0.1 or later, metadata is stored in a named

 

stream. A named stream is associated with the protected file inode and not accessible

 

to most commands. For VxFS file systems at revision 5.0 or earlier and all other file

 

system types, metadata storage is the same as described in the following entry for

 

pseudo.

pseudo

Metadata is stored separately in files within directories always named

 

.$WLI_POLICY$, described in the following section. These metadata directories

 

always reside in the parent directory of the policy protected files.

2.3.2.$WLI_POLICY$

Directories named .$WLI_POLICY$ contain policy metadata files, and appear if the wmdstoretype parameter has value pseudo, or the file system type is VxFS 5.0 or earlier. These directories also appear for all non-VxFS file systems. In addition to write protection, WLI does not allow read access to all files under directories with this name.

Each file in this directory has the same name as a file that is assigned an access policy through wlipolicy in the parent directory. For example, if /tmp contains the following files with WLI access policies:

%ls -l /tmp/JdMB4NJ1 /tmp/T1df07xe

-rw-------

1

joe

users

2723

May

4

14:49

/tmp/JdMB4NJ1

-rw-------

1

joe

users

8199

Jun

3

20:46

/tmp/T1df07xe

Then, /tmp/ .$WLI_POLICY$ contains the corresponding policy metadata files:

%ls -l /tmp/.\$WLI_POLICY\$

-rw-------

1

joe

users

2048

Jul

15

15:29

JdMB4NJ1

-rw-------

1

joe

users

2048

Jun

3

20:47

T1df07xe

NOTE: The ’\’ escape character is used to escape ‘$’, a special character to shell interpreters.

2.3.3.$WLI_SIGNATURE$

Directories named .$WLI_SIGNATURE$ contain signature metadata files. In addition to write protection, WLI does not allow read access to all files under directories with this name.

Each file in this directory has the same name as a non ELF binary that is signed with wlisign in the parent directory. For example, if /tmp contains non ELF binaries:

%ls -l CXkiELYm wpSzpxzI

-rw-------

1

joe

users

1809

Dec

9

2009

/tmp/CXkiELYm

-rw-------

1

joe

users

1809

Mar

21

03:13

/tmp/wpSzpxzI

Then, /tmp/ .$WLI_SIGNATURE$ contains the corresponding signature metadata files:

%ls -l /tmp/.\$WLI_SIGNATURE\$

-rw-------

1

joe

users

2048

Jul

15

01:33

/tmp/CXkiELYm

-rw-------

1

joe

users

2048

Jul

15

01:36

/tmp/wpSzpxzI

NOTE: The ’\’ escape character is used to escape ‘$’, a special character to shell interpreters.

ELF-formatted binaries signed by wlitool or wlisign store their signature metadata within a section of the binary file and do not have separate metadata files.

2.3 WLI metadata files 17

Page 16 Page 18
Image 17
Page 16 Page 18
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File lock access controls Security featuresFile access policies Capabilities Identity-based access controls4 api Page WLI architecture Product overviewApplication API CommandsApplications WLI metadata files WLI database3 .$WLISIGNATURE$ Page Generating keys Key usageUser keys Administrator keysInstalling WLI Installing, removing, and upgradingInstallation requirements Removing WLI Upgrading WLI Page Authorizing administrator keys ConfiguringAuthorizing the recovery key Backing up the WLI database Signing DLKMsRebooting to restricted mode Page Creating a Flac policy Enhancing security with WLISigning an executable binary Creating an Ibac policy Removing a file access policyEnabling DLKMs to load during boot Wlisign -a -k adminpriv /usr/sbin/kcmodule # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissLoading unsigned DLKMs # kcmodule ciss=unusedPage WLI database files Backup and restore considerationsOverview Write protected Policy protected and metadata filesRead/write protected files RecommendationsMetadata files Flac policiesIbac policies Page WLI database HP Serviceguard considerationsAdministration Policy protected files Software distributor issues Troubleshooting and known issuesWLI reinstallation Lost WLI administrator key or passphraseSu root # rm -r /etc/wli Wlisyspolicy -s mode=maintenance -k adminkey# tar -xf /tmp/wlikeydb.tar # kcmodule wli=unused # shutdown -rRelated information Support and other resourcesContacting HP User input Typographic conventionsWebsites Times Page Instructions # make clean# make all # su wliusr1Ibac add and delete program Flac add and delete programIbac add and delete program Page Administration examples Su root # wlisign -a -k adm1.pvt /usr/bin/tar Wlicert -s -c wli.admin1 -o wmd -k adm1.pvtBdf mydir Tar -vtf tartest.tarCat /tmp/.$WLIFSPARMS$ Wlisys -k adm1.pvt -s wmdstoretype=pseudoBprestore -f backuplist Bpbackup -f backuplistConfiguring WLI Quick setup examplesAuthorizing an administrator key Authorizing a user keyFlac policies Testing a Flac policyCreating a Flac policy Enabling a Flac policyIbac policies Removing an Ibac policy Disabling an Ibac policyASM GlossaryPage Index SymbolsIndex
Top Page Image Contents