HP UX Security Products and Features Software manual Removing WLI

Page 22

7.Click Download.

8.Save the HP-UX WhiteList Infrastructure bundle as a local file on your system. Use the file name /tmp/<wli-depotname>.depot, for example.

9.Verify the depot file is saved on your system with the following command:

#swlist -d @ /tmp/<wli-depotname>.depot

10.Install the bundle:

#swinstall -x autoreboot=true -s /tmp/<wli-depotname>.depot WhiteListInf

11.Verify the installation:

#swverify WhiteListInf

If WLI is installed correctly on the system, the swverify command includes the following text in the reported data:

Verification succeeded

WLI relies on the OpenSSL product for RSA key generation, but the OpenSSL product is not required for installation. The latest version of OpenSSL is recommended, but any version installable on HP-UX 11iv3 is sufficient. You can download the latest version from:

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=OPENSSL11I

OpenSSL installs by default with every HP-UX OE release, but might have been removed or not installed with the OE. To determine the OpenSSL version and verify its content, enter:

%swlist OpenSSL

%swverify OpenSSL

4.3Removing WLI

The administrator should consider creating a backup of policy protected files, signed binaries, and metadata files. If reinstallation is planned, keys used for generating policies and signatures are recognized by WLI if the keys are authorized following reinstallation.

WLI does not track access policies assigned to files and signatures generated on binaries. File and signature metadata becomes transparent once the kernel is rebuilt without the WLI component. WLI metadata does not impact file access or command execution once WLI is removed.

The presence of old metadata can inhibit new policy and signature generation if WLI is reinstalled. If reinstallation is planned, HP recommends backup and removal of all known signatures and policies.

To remove WLI, use the following procedure:

1.Retrieve the security attributes for WLI:

%wlisyspolicy -g

If protection mode is restricted, change to maintenance.

2.Skip this step if protection mode is maintenance. To set protection mode to maintenance:

%wlisyspolicy -s mode=maintenance -k <admin_private_key> where:

<admin_private_key> is a WLI administrator private key. A prompt appears for the key passphrase.

3.If allow security downgrade is deferred, a reboot is required for protection mode to switch to maintenance. Following reboot of the system, verify that protection mode is maintenance:

% wlisyspolicy -g

22 Installing, removing, and upgrading

Page 21 Page 23
Image 22
Page 21 Page 23
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File access policies Security featuresFile lock access controls Identity-based access controls Capabilities4 api Page Product overview WLI architectureCommands Application APIApplications WLI database WLI metadata files3 .$WLISIGNATURE$ Page Key usage Generating keysAdministrator keys User keysInstallation requirements Installing, removing, and upgradingInstalling WLI Removing WLI Upgrading WLI Page Authorizing the recovery key ConfiguringAuthorizing administrator keys Signing DLKMs Backing up the WLI databaseRebooting to restricted mode Page Signing an executable binary Enhancing security with WLICreating a Flac policy Enabling DLKMs to load during boot Removing a file access policyCreating an Ibac policy Loading unsigned DLKMs # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissWlisign -a -k adminpriv /usr/sbin/kcmodule # kcmodule ciss=unusedPage Overview Backup and restore considerationsWLI database files Read/write protected files Policy protected and metadata filesWrite protected RecommendationsIbac policies Flac policiesMetadata files Page Administration HP Serviceguard considerationsWLI database Policy protected files WLI reinstallation Troubleshooting and known issuesSoftware distributor issues Lost WLI administrator key or passphrase# tar -xf /tmp/wlikeydb.tar Wlisyspolicy -s mode=maintenance -k adminkeySu root # rm -r /etc/wli # kcmodule wli=unused # shutdown -rContacting HP Support and other resourcesRelated information Websites Typographic conventionsUser input Times Page # make all # make cleanInstructions # su wliusr1Flac add and delete program Ibac add and delete programIbac add and delete program Page Administration examples Wlicert -s -c wli.admin1 -o wmd -k adm1.pvt Su root # wlisign -a -k adm1.pvt /usr/bin/tarCat /tmp/.$WLIFSPARMS$ Tar -vtf tartest.tarBdf mydir Wlisys -k adm1.pvt -s wmdstoretype=pseudoBpbackup -f backuplist Bprestore -f backuplistAuthorizing an administrator key Quick setup examplesConfiguring WLI Authorizing a user keyCreating a Flac policy Testing a Flac policyFlac policies Enabling a Flac policyIbac policies Disabling an Ibac policy Removing an Ibac policyGlossary ASMPage Symbols IndexIndex
Top Page Image Contents