HP UX Security Products and Features Software manual Signing DLKMs, Backing up the WLI database

Page 26

<instance> <priv_key> <src:val>

is the key identifier; instance is a string chosen by an administrator.

is the recovery key or previously authorized administrator key.

is the passphrase source and value. If the -poption is not included, a prompt appears for the passphrase at the /dev/tty device.

<pub_key> is the public key being authorized for WLI administrator authority.

Changing administrator key passphrases does not impact WLI database files. Generating a new WLI database backup following passphrase changes to user or administrator keys is not necessary.

5.3 Signing DLKMs

WLI protects a system against rogue DLKMs in restricted mode. For a DLKM to be loaded by the system during boot, it must be signed with wlisign using an authorized key. The signing key does not require dlkm capability. The signature permits the DLKM to be authenticated by WLI before it is loaded.

One essential DLKM that loads during boot is the Kernel Random Number Generator, /usr/ conf/mod/rng. Before setting WLI to restricted mode and rebooting the system, it is necessary to sign this DLKM. If /home/jane/jane.priv is a key with WLI administration authority, the following procedure allows /usr/conf/mod/rng to load and initialize during boot:

IMPORTANT: This procedure must be performed as root user. Root user authority is required to load and unload DLKMs.

1.Unload the DLKM:

#kcmodule rng=unused

2.Sign the DLKM:

#wlisign -a -k /home/jane/jane.priv /usr/conf/mod/rng

3.Load the DLKM:

#kcmodule rng=best

where:

 

jane

is a valid user ID.

jane.priv

is the key identifier.

priv

is an arbitrary string chosen by the administrator.

It is important that the DLKM is reloaded after signing. Repeat these steps for all DLKMs loaded during boot. A root user needs to repeat these steps if usr/conf/mod/rng is replaced by software update.

5.4 Backing up the WLI database

After all administrator keys are authorized, HP recommends backing up the WLI database while the security mode is maintenance. A backup of administrator key files is not possible after WLI is operational in restricted mode. For details of the WLI database, see Section 2.2 (page 16). For more information about backup, see Section 7.1 (page 33). To backup the WLI database in maintenance mode:

%tar -cf wli.tar /etc/wli

For this example, tar is used. Proprietary backup utilities or cpio also work.

No procedure changes are required for restoring a database backup in maintenance mode.

In restricted mode, a database backup cannot be restored because of read/write protection on administrator key storage.

26 Configuring

Page 25 Page 27
Image 26
Page 25 Page 27
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File lock access controls Security featuresFile access policies Identity-based access controls Capabilities4 api Page Product overview WLI architectureCommands Application APIApplications WLI database WLI metadata files3 .$WLISIGNATURE$ Page Key usage Generating keysAdministrator keys User keysInstalling WLI Installing, removing, and upgradingInstallation requirements Removing WLI Upgrading WLI Page Authorizing administrator keys ConfiguringAuthorizing the recovery key Signing DLKMs Backing up the WLI databaseRebooting to restricted mode Page Creating a Flac policy Enhancing security with WLISigning an executable binary Creating an Ibac policy Removing a file access policyEnabling DLKMs to load during boot Loading unsigned DLKMs # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissWlisign -a -k adminpriv /usr/sbin/kcmodule # kcmodule ciss=unusedPage WLI database files Backup and restore considerationsOverview Read/write protected files Policy protected and metadata filesWrite protected RecommendationsMetadata files Flac policiesIbac policies Page WLI database HP Serviceguard considerationsAdministration Policy protected files WLI reinstallation Troubleshooting and known issuesSoftware distributor issues Lost WLI administrator key or passphrase# tar -xf /tmp/wlikeydb.tar Wlisyspolicy -s mode=maintenance -k adminkeySu root # rm -r /etc/wli # kcmodule wli=unused # shutdown -rRelated information Support and other resourcesContacting HP User input Typographic conventionsWebsites Times Page # make all # make cleanInstructions # su wliusr1Flac add and delete program Ibac add and delete programIbac add and delete program Page Administration examples Wlicert -s -c wli.admin1 -o wmd -k adm1.pvt Su root # wlisign -a -k adm1.pvt /usr/bin/tarCat /tmp/.$WLIFSPARMS$ Tar -vtf tartest.tarBdf mydir Wlisys -k adm1.pvt -s wmdstoretype=pseudoBpbackup -f backuplist Bprestore -f backuplistAuthorizing an administrator key Quick setup examplesConfiguring WLI Authorizing a user keyCreating a Flac policy Testing a Flac policyFlac policies Enabling a Flac policyIbac policies Disabling an Ibac policy Removing an Ibac policyGlossary ASMPage Symbols IndexIndex
Related manuals
Manual 130 pages 58.55 Kb
Top Page Image Contents