HP UX Security Products and Features Software manual Creating an Ibac policy

Page 30

The policy metadata is created and resides in a protected file or named stream, depending on the current value of the metadata storage attribute and possibly the file system type.

The administrator owns key admin.pvt. The administrator must authorize the user key for policy enforcement:

%wlicert -i joe.key -k ./admin.pvt /home/joe/joepub

The administrator chose identifier joe.key to represent the user's key in the WLI database.

Now /home/joe/joefile is protected against deletion and alteration.

NOTE: The user and administrator can be the same person and user ID.

TIP: An administrator key can create the FLAC policy.

6.3 Creating an IBAC policy

In the following example, the user wants /home/joe/joefile2 accessible only through /home/joe/joe_vi. The user adjusted the group permissions for joe_vi so that only he and a specific group can execute joe_vi. The user's private key is joepriv.

User procedure:

1.Sign joe_vi:

%cd /home/joe

%wlisign -a -k joepriv -e joe_vi

2.Create the IBAC policy:

%wlipolicy -i -a -k joepriv -e joe_vi joefile2

The administrator must authorize the user key for policy enforcement as in Section 6.2 (page 29):

%wlicert -i joe.key -k ./admin.pvt /home/joe/joepub

NOTE: The keys used to sign joe_vi and create the IBAC policy are the same. This is not a requirement and the keys can be different.

Now, joefile2 can only be opened by joe_vi. Any user, including superuser, receives a “Permission denied” message if access is attempted with /usr/bin/vi or other executable.

IBAC and FLAC policies are mutually exclusive. A file can have any number of IBAC policies assigned to it, but only one IBAC.

6.4 Removing a file access policy

In the following example, the user wants to remove the FLAC policy.

User procedure:

Delete the policy:

%cd /home/joe

%wlipolicy -f -d -k joepriv1 -e joe_vi joefile

The same key used to create the FLAC policy is necessary to delete the policy. Any user that can read the key and knows the passphrase can delete it.

6.5 Enabling DLKMs to load during boot

For this example, the system administrator identified /usr/conf/mod/ciss as a DLKM that loads during boot. The DLKM must be signed now that WLI is installed to continue to load

30 Enhancing security with WLI

Page 29 Page 31
Image 30
Page 29 Page 31
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page Security features File access policiesFile lock access controls Identity-based access controls Capabilities4 api Page Product overview WLI architectureCommands Application APIApplications WLI database WLI metadata files3 .$WLISIGNATURE$ Page Key usage Generating keysAdministrator keys User keysInstalling, removing, and upgrading Installation requirementsInstalling WLI Removing WLI Upgrading WLI Page Configuring Authorizing the recovery keyAuthorizing administrator keys Signing DLKMs Backing up the WLI databaseRebooting to restricted mode Page Enhancing security with WLI Signing an executable binaryCreating a Flac policy Removing a file access policy Enabling DLKMs to load during bootCreating an Ibac policy Loading unsigned DLKMs # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissWlisign -a -k adminpriv /usr/sbin/kcmodule # kcmodule ciss=unusedPage Backup and restore considerations OverviewWLI database files Read/write protected files Policy protected and metadata filesWrite protected RecommendationsFlac policies Ibac policiesMetadata files Page HP Serviceguard considerations AdministrationWLI database Policy protected files WLI reinstallation Troubleshooting and known issuesSoftware distributor issues Lost WLI administrator key or passphrase# tar -xf /tmp/wlikeydb.tar Wlisyspolicy -s mode=maintenance -k adminkeySu root # rm -r /etc/wli # kcmodule wli=unused # shutdown -rSupport and other resources Contacting HPRelated information Typographic conventions WebsitesUser input Times Page # make all # make cleanInstructions # su wliusr1Flac add and delete program Ibac add and delete programIbac add and delete program Page Administration examples Wlicert -s -c wli.admin1 -o wmd -k adm1.pvt Su root # wlisign -a -k adm1.pvt /usr/bin/tarCat /tmp/.$WLIFSPARMS$ Tar -vtf tartest.tarBdf mydir Wlisys -k adm1.pvt -s wmdstoretype=pseudoBpbackup -f backuplist Bprestore -f backuplistAuthorizing an administrator key Quick setup examplesConfiguring WLI Authorizing a user keyCreating a Flac policy Testing a Flac policyFlac policies Enabling a Flac policyIbac policies Disabling an Ibac policy Removing an Ibac policyGlossary ASMPage Symbols IndexIndex
Related manuals
Manual 130 pages 58.55 Kb
Top Page Image Contents