HP UX Security Products and Features Software Loading unsigned DLKMs, # kcmodule ciss=unused

Page 31

during boot. To enable boot-time loading of a DLKM, it must be signed by an authorized key. The administrator owns WLI administrator key adminpriv. Like all administrator keys, adminpriv is authorized for signature verification automatically when it is granted WLI administrator authority.

Following WLI installation the system reboots and WLI is initially in maintenance mode. Verify the DLKM to be signed is unloaded:

IMPORTANT: This procedure must be performed as root user. Root user authority is required to load and unload DLKMs.

1.Unload the DLKM:

#kcmodule ciss=unused

2.Sign the DLKM:

#wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/ciss

3.Load the DLKM:

#kcmodule ciss=loaded

A root user needs to repeat these steps if usr/conf/mod/ciss is replaced by software update.

Signing with an authorized user key is also sufficient. The key does not require WLI administrator authority.

NOTE: Granting dlkm capability to the authorizing key or to the dlkm is not necessary.

6.6 Loading unsigned DLKMs

The following example demonstrates how a WLI administrator can dynamically load /usr/ conf/mod/bigdlkm into the kernel domain, without writing a signature. The current state of the DLKM is unused, and the administrator owns administrator key adminpriv with extracted public key adminpub. Because WLI capabilities are not granted to keys automatically, the administrator must grant dlkm capability to adminpriv with wlicert:

%cd /home/admin1

%wlicert -c admin1.key1 -s -k adminpriv -o -dlkm

The key adminpriv granted dlkm capability to itself.

An administrator key must also be used to sign /usr/sbin/kcmodule, the command that loads the unsigned DLKM. Granting dlkm capability to the command is not necessary:

%wlisign -a -k adminpriv /usr/sbin/kcmodule

The wliwrap command now executes kcmodule as a child process. Because WLI does not affect non-WLI restrictions, it is necessary to become root user to satisfy the effective user ID requirement for executing /usr/sbin/kcmodule.

%su root

#wliwrap -k adminpriv -o -dlkm “/usr/sbin/kcmodule bigdlkm=loaded”

In this example, the wliwrap command temporarily added dlkm capability to the kcmodule process.

6.6 Loading unsigned DLKMs 31

Page 30 Page 32
Image 31
Page 30 Page 32
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File access policies Security featuresFile lock access controls Capabilities Identity-based access controls4 api Page WLI architecture Product overviewApplication API CommandsApplications WLI metadata files WLI database3 .$WLISIGNATURE$ Page Generating keys Key usageUser keys Administrator keysInstallation requirements Installing, removing, and upgradingInstalling WLI Removing WLI Upgrading WLI Page Authorizing the recovery key ConfiguringAuthorizing administrator keys Backing up the WLI database Signing DLKMsRebooting to restricted mode Page Signing an executable binary Enhancing security with WLICreating a Flac policy Enabling DLKMs to load during boot Removing a file access policyCreating an Ibac policy # kcmodule ciss=unused # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissWlisign -a -k adminpriv /usr/sbin/kcmodule Loading unsigned DLKMsPage Overview Backup and restore considerationsWLI database files Recommendations Policy protected and metadata filesWrite protected Read/write protected filesIbac policies Flac policiesMetadata files Page Administration HP Serviceguard considerationsWLI database Policy protected files Lost WLI administrator key or passphrase Troubleshooting and known issuesSoftware distributor issues WLI reinstallation# kcmodule wli=unused # shutdown -r Wlisyspolicy -s mode=maintenance -k adminkeySu root # rm -r /etc/wli # tar -xf /tmp/wlikeydb.tarContacting HP Support and other resourcesRelated information Websites Typographic conventionsUser input Times Page # su wliusr1 # make cleanInstructions # make allIbac add and delete program Flac add and delete programIbac add and delete program Page Administration examples Su root # wlisign -a -k adm1.pvt /usr/bin/tar Wlicert -s -c wli.admin1 -o wmd -k adm1.pvtWlisys -k adm1.pvt -s wmdstoretype=pseudo Tar -vtf tartest.tarBdf mydir Cat /tmp/.$WLIFSPARMS$Bprestore -f backuplist Bpbackup -f backuplistAuthorizing a user key Quick setup examplesConfiguring WLI Authorizing an administrator keyEnabling a Flac policy Testing a Flac policyFlac policies Creating a Flac policyIbac policies Removing an Ibac policy Disabling an Ibac policyASM GlossaryPage Index SymbolsIndex
Related manuals
Manual 130 pages 58.55 Kb
Top Page Image Contents