HP UX Security Products and Features Software manual Troubleshooting and known issues

Page 39

9 Troubleshooting and known issues

9.1 Software distributor issues

Signing an ELF formatted binary adds a signature metadata section to the binary file. This action has the side effect of changing the file modification time and size. If the binary happens to be delivered as part of a product, the swverify command registers errors.

If error free swverify analysis on a product is important, sign and use a duplicate of the command whenever practical. If using a copy is not practical, the SD-UX product database can be updated with swmodify so that swverify errors are not reported.

For example, if /usr/bin/ssh and /usr/sbin/sshd are signed, clear the swverify error with the following:

%wlisign -a -k userkey1 /usr/bin/ssh

%wlisign -a -k userkey1 /usr/sbin/sshd

%swmodify -x files=’/usr/bin/ssh /usr/sbin/sshd” Secure_Shell.SECURE_SHELL

9.2WLI reinstallation

Residual file access policy and signature metadata from a previous installation can interfere with a WLI reinstallation. The metadata from a previous installation can prevent generation of new file access policies and signatures.

When WLI is removed by swremove, the WLI database must be deleted to allow a possible reinstallation to install and configure correctly. But WLI does not keep track of policies and signed files, and they are not removed when the product is removed.

This problem does not appear if WLI is upgraded to a later revision. The WLI database remains intact, and the manual configuration steps should not be executed for WLI upgrades.

Consider the following habits for administrators and users:

Minimize using administrator keys for generating policies and signatures. Removing authorization from administrator keys has more impact than from user keys.

Remove policies and signatures when no longer needed.

9.3Lost WLI administrator key or passphrase

A new administrator key can always be authorized through wliadm if the recovery key is available and its passphrase is known. Always store the recovery key and passphrase safely. The recovery key is not useful except for authorizing administrator keys and you can store it apart from the system where it has authority.

WLI keys are wrapped (encrypted with a cipher and passphrase) by the OpenSSL genrsa subcommand. If the passphrase is lost, no procedure exists to recover or decrypt the wrapped private key. For security, delete an administrator key with unknown passphrase. To delete an administrator key with missing passphrase:

%wliadm -d<user>.<instance> -k<recovery_key>

For more information about generating RSA keys and authorizing as WLI administrative keys, see “Key usage” (page 19) and wliadm(1).

9.4 WLI database corruption

The database can become corrupted if the underlying storage device sustains physical damage. If the files comprising the database lose their integrity, WLI can display unpredictable behavior. The WLI database needs to be restored from an archive.

9.1 Software distributor issues

39

Page 38 Page 40
Image 39
Page 38 Page 40
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page Security features File access policiesFile lock access controls Capabilities Identity-based access controls4 api Page WLI architecture Product overviewApplication API CommandsApplications WLI metadata files WLI database3 .$WLISIGNATURE$ Page Generating keys Key usageUser keys Administrator keysInstalling, removing, and upgrading Installation requirementsInstalling WLI Removing WLI Upgrading WLI Page Configuring Authorizing the recovery keyAuthorizing administrator keys Backing up the WLI database Signing DLKMsRebooting to restricted mode Page Enhancing security with WLI Signing an executable binaryCreating a Flac policy Removing a file access policy Enabling DLKMs to load during bootCreating an Ibac policy # kcmodule ciss=unused # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissWlisign -a -k adminpriv /usr/sbin/kcmodule Loading unsigned DLKMsPage Backup and restore considerations OverviewWLI database files Recommendations Policy protected and metadata filesWrite protected Read/write protected filesFlac policies Ibac policiesMetadata files Page HP Serviceguard considerations AdministrationWLI database Policy protected files Lost WLI administrator key or passphrase Troubleshooting and known issuesSoftware distributor issues WLI reinstallation# kcmodule wli=unused # shutdown -r Wlisyspolicy -s mode=maintenance -k adminkeySu root # rm -r /etc/wli # tar -xf /tmp/wlikeydb.tarSupport and other resources Contacting HPRelated information Typographic conventions WebsitesUser input Times Page # su wliusr1 # make cleanInstructions # make allIbac add and delete program Flac add and delete programIbac add and delete program Page Administration examples Su root # wlisign -a -k adm1.pvt /usr/bin/tar Wlicert -s -c wli.admin1 -o wmd -k adm1.pvtWlisys -k adm1.pvt -s wmdstoretype=pseudo Tar -vtf tartest.tarBdf mydir Cat /tmp/.$WLIFSPARMS$Bprestore -f backuplist Bpbackup -f backuplistAuthorizing a user key Quick setup examplesConfiguring WLI Authorizing an administrator keyEnabling a Flac policy Testing a Flac policyFlac policies Creating a Flac policyIbac policies Removing an Ibac policy Disabling an Ibac policyASM GlossaryPage Index SymbolsIndex
Top Page Image Contents