HP UX Security Products and Features Software manual Upgrading WLI

Page 23

4.Log in to the target system as the root user.

5.Remove WLI:

%swremove -x autoreboot=true WhteListInf

The machine automatically reboots after rebuilding the kernel without the WLI module.

6.Manual cleanup:

WLI does not keep track of metadata files generated by WLI commands. These metadata files are listed in Section 2.3 (page 16).

4.4Upgrading WLI

WLI upgrades will become available through revisions of WLI. If you already have WLI installed on your system and are upgrading to a later revision, use the following procedure:

1.Change the security mode of WLI to maintenance:

%wlisyspolicy -s mode=maintenance -k <wli_admin_key>

2.This step is recommended by HP but not required. Back up the WLI database:

%tar -cvf wli_keydbxx.tar /etc/wli

NOTE: You can use an equivalent command.

3.Install the later WLI revision. For details, see Section 4.2 (page 21).

4.After reboot, configuration scripts execute automatically unless deferred by the swinstall command. If configuration was deferred:

%swconfig WLI

5.Configuration files stored in the WLI database and preserved from the previous revision are:

/etc/wli/wlisys.conf

/etc/wli/wlisyspolicy.conf

New versions of these files are copied to the system at the following respective locations:

/opt/wli/newconfig/etc/wlisys.conf

/opt/wli/newconfig/etc/wlisyspolicy.conf

If the new versions contain additional structure and information, copy the old versions to a safe location. Copy the new versions to the respective database locations. The administrator can also choose to set attribute values in the new files to match those in the old files.

6.Do not complete the manual configuration steps listed in “Configuring” (page 25). The WLI database is identical at this time except possibly for the file replaced in step 5.

7.If the configuration files were modified or replaced in step 5, refresh the backup archive to contain the newer file versions.

8.Set the security mode to restricted. This step requires the passphrase of a WLI administrator key:

%wlisyspolicy -s mode=restricted -k <wli_admin_key>

9.The following must be executed by root user:

# shutdown -r

4.4 Upgrading WLI 23

Image 23
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File lock access controls Security featuresFile access policies Capabilities Identity-based access controls4 api Page WLI architecture Product overviewApplication API CommandsApplications WLI metadata files WLI database3 .$WLISIGNATURE$ Page Generating keys Key usageUser keys Administrator keysInstalling WLI Installing, removing, and upgradingInstallation requirements Removing WLI Upgrading WLI Page Authorizing administrator keys ConfiguringAuthorizing the recovery key Backing up the WLI database Signing DLKMsRebooting to restricted mode Page Creating a Flac policy Enhancing security with WLISigning an executable binary Creating an Ibac policy Removing a file access policyEnabling DLKMs to load during boot # kcmodule ciss=unused # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissWlisign -a -k adminpriv /usr/sbin/kcmodule Loading unsigned DLKMsPage WLI database files Backup and restore considerationsOverview Recommendations Policy protected and metadata filesWrite protected Read/write protected filesMetadata files Flac policiesIbac policies Page WLI database HP Serviceguard considerationsAdministration Policy protected files Lost WLI administrator key or passphrase Troubleshooting and known issuesSoftware distributor issues WLI reinstallation# kcmodule wli=unused # shutdown -r Wlisyspolicy -s mode=maintenance -k adminkeySu root # rm -r /etc/wli # tar -xf /tmp/wlikeydb.tarRelated information Support and other resourcesContacting HP User input Typographic conventionsWebsites Times Page # su wliusr1 # make cleanInstructions # make allIbac add and delete program Flac add and delete programIbac add and delete program Page Administration examples Su root # wlisign -a -k adm1.pvt /usr/bin/tar Wlicert -s -c wli.admin1 -o wmd -k adm1.pvtWlisys -k adm1.pvt -s wmdstoretype=pseudo Tar -vtf tartest.tarBdf mydir Cat /tmp/.$WLIFSPARMS$Bprestore -f backuplist Bpbackup -f backuplistAuthorizing a user key Quick setup examplesConfiguring WLI Authorizing an administrator keyEnabling a Flac policy Testing a Flac policyFlac policies Creating a Flac policyIbac policies Removing an Ibac policy Disabling an Ibac policyASM GlossaryPage Index SymbolsIndex
Related manuals
Manual 130 pages 58.55 Kb