HP UX Security Products and Features Software manual Flac policies, Ibac policies, Metadata files

Page 35

7.3.1 FLAC policies

A file with a FLAC policy can be read but cannot be overwritten unless wmd capability is granted to the executing process. FLAC protection is not enforced with wmd capability. This enables the file and its policy metadata to be restored from an archive over an existing copy of the FLAC-protected file.

7.3.2 IBAC policies

Without wmd capability, a file with an IBAC policy can be read or written only if an IBAC policy identifies the read or write command as an authorized executable. IBAC policies are effectively overridden by wmd, permitting backup and restore operations to complete successfully. Therefore, wmd capability must be granted to backup and restore operations that involve WLI policy protected files.

7.3.3 Metadata files

WLI metadata files are described in Section 2.3 (page 16). The WLI protections are in effect only in restricted mode. All WLI metadata file protections are overridden when wmd capability is granted to the executing process. This permits all metadata to be archived and restored together with the files pertaining to the metadata.

7.3.4Recommendations

•HP recommends using wliwrap to grant wmd capability. The wliwrap command grants wmd only during execution of a backup or restore operation. A key that is granted wmd is then always necessary to execute backup and restore operations.

•Refresh backups of policy protected files immediately following creation of new policies. Archives on policy protected files and metadata can easily be created and refreshed in restricted mode.

7.3 Policy protected and metadata files

35

Image 35

Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File lock access controls Security featuresFile access policies Capabilities Identity-based access controls4 api Page WLI architecture Product overviewApplication API CommandsApplications WLI metadata files WLI database3 .$WLISIGNATURE$ Page Generating keys Key usageUser keys Administrator keysInstalling WLI Installing, removing, and upgradingInstallation requirements Removing WLI Upgrading WLI Page Authorizing administrator keys ConfiguringAuthorizing the recovery key Backing up the WLI database Signing DLKMsRebooting to restricted mode Page Creating a Flac policy Enhancing security with WLISigning an executable binary Creating an Ibac policy Removing a file access policyEnabling DLKMs to load during boot # kcmodule ciss=unused # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissWlisign -a -k adminpriv /usr/sbin/kcmodule Loading unsigned DLKMsPage WLI database files Backup and restore considerationsOverview Recommendations Policy protected and metadata filesWrite protected Read/write protected filesMetadata files Flac policiesIbac policies Page WLI database HP Serviceguard considerationsAdministration Policy protected files Lost WLI administrator key or passphrase Troubleshooting and known issuesSoftware distributor issues WLI reinstallation# kcmodule wli=unused # shutdown -r Wlisyspolicy -s mode=maintenance -k adminkeySu root # rm -r /etc/wli # tar -xf /tmp/wlikeydb.tarRelated information Support and other resourcesContacting HP User input Typographic conventionsWebsites Times Page # su wliusr1 # make cleanInstructions # make allIbac add and delete program Flac add and delete programIbac add and delete program Page Administration examples Su root # wlisign -a -k adm1.pvt /usr/bin/tar Wlicert -s -c wli.admin1 -o wmd -k adm1.pvtWlisys -k adm1.pvt -s wmdstoretype=pseudo Tar -vtf tartest.tarBdf mydir Cat /tmp/.$WLIFSPARMS$Bprestore -f backuplist Bpbackup -f backuplistAuthorizing a user key Quick setup examplesConfiguring WLI Authorizing an administrator keyEnabling a Flac policy Testing a Flac policyFlac policies Creating a Flac policyIbac policies Removing an Ibac policy Disabling an Ibac policyASM GlossaryPage Index SymbolsIndex