HP UX Security Products and Features Software manual Su root # wlisign -a -k adm1.pvt /usr/bin/tar

Page 50

To meet file permission bits requirements (DAC restrictions), the user must have root authority to modify tar with wlisign. The command is signed with the administrator key:

%su root

#wlisign -a -k adm1.pvt /usr/bin/tar

The wmd capability is not granted to /usr/bin/tar. Only the key authorizing execution of wliwrap must be granted wmd capability. File permission bits restrictions (DAC permissions) on /usr/bin/tar must be met for wlisign, therefore the signing was executed by root user.

Signing tar with an administrator key is required because it executes as a child process of wliwrap. If tar is signed by a WLI key without administrator privilege, wmd capability is not granted through wliwrap.

The key authorizing wliwrap execution must have wmd capability. The key can be granted wmd before or after the signing, but must be granted wmd before tar executes as a child process of wliwrap. To grant wmd to key adm1.pvt:

%wlicert -s -c wli.admin1 -o wmd -k adm1.pvt

In Example B-1 (page 49), all capabilities are granted to adm1.pvt, but only the capabilities granted in the previous command are necessary. The backup can now be generated because wmd is granted through key adm1.pvt.

%wliwrap -k adm1.pvt -o wmd "/tar -cvf tartest.tar /tmp/tartest"

wliwrap: process capability wmd set

wliwrap: executing command: tar -cvf tartest.tar /tmp/tartest a ./tartest/tfile1 1 blocks

a ./tartest/tfile2 1 blocks a ./tartest/tfile3 1 blocks

a ./tartest/.$WLI_POLICY$/tfile1 4 blocks a ./tartest/.$WLI_POLICY$/tfile2 4 blocks a ./tartest/.$WLI_POLICY$/tfile3 4 blocks

The wmd capability granted to the executing process overrides any IBAC, allowing tar to read all files. Granting an IBAC policy to any file to allow the backup to proceed is not necessary.

Protected files and associated metadata files are now stored on the archive tartest.tar. The metadata storage is either pseudo or the file system is not VxFS 5.0.1 or later. If VxFS named data streams are used for metadata storage, the .$WLI_POLICY$ directory and its files do not appear. For details on setting metadata storage type, see wlisys(1M).

The administrator key is used to authorize wliwrap execution and grant wmd capability to the tar child process in this example. This is done only for convenience because it is likely the same user would sign the backup command and generate backups. A WLI user key without administrator authority is sufficient to authorize wliwrap execution.

The tar command is executed with the effective user ID of the login user in this example. The owner and group IDs of the generated archive matches the login values of owner and group, as if tar is executed directly.

This preparation for backing up policy protected files can be applied to backing up non ELF binary executables with associated metadata in .$WLI_SIGNATURE$ directories. A

.$WLI_FSPARMS$ file can also be backed up. This procedure can be applied to backing up an entire file system containing policy protected files and signed executables.

Example B-3 Restoring policy protected files

HP recommends using wliwrap to backup and restore policy protected files and associated metadata. Granting permanent wmd capability to a command with wliwrap is not necessary, as demonstrated in Example B-2 (page 49).

This example demonstrates how to restore the backup archive generated in Example B-2 (page 49). As with the generation of the archive, the WLI security mode is restricted so all WLI file access policies are enforced. Guidelines for the server do not allow security to be downgraded at any time.

50 Administration examples

Page 49 Page 51
Image 50
Page 49 Page 51
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File lock access controls Security featuresFile access policies Identity-based access controls Capabilities4 api Page Product overview WLI architectureCommands Application APIApplications WLI database WLI metadata files3 .$WLISIGNATURE$ Page Key usage Generating keysAdministrator keys User keysInstalling WLI Installing, removing, and upgradingInstallation requirements Removing WLI Upgrading WLI Page Authorizing administrator keys ConfiguringAuthorizing the recovery key Signing DLKMs Backing up the WLI databaseRebooting to restricted mode Page Creating a Flac policy Enhancing security with WLISigning an executable binary Creating an Ibac policy Removing a file access policyEnabling DLKMs to load during boot Loading unsigned DLKMs # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissWlisign -a -k adminpriv /usr/sbin/kcmodule # kcmodule ciss=unusedPage WLI database files Backup and restore considerationsOverview Read/write protected files Policy protected and metadata filesWrite protected RecommendationsMetadata files Flac policiesIbac policies Page WLI database HP Serviceguard considerationsAdministration Policy protected files WLI reinstallation Troubleshooting and known issuesSoftware distributor issues Lost WLI administrator key or passphrase# tar -xf /tmp/wlikeydb.tar Wlisyspolicy -s mode=maintenance -k adminkeySu root # rm -r /etc/wli # kcmodule wli=unused # shutdown -rRelated information Support and other resourcesContacting HP User input Typographic conventionsWebsites Times Page # make all # make cleanInstructions # su wliusr1Flac add and delete program Ibac add and delete programIbac add and delete program Page Administration examples Wlicert -s -c wli.admin1 -o wmd -k adm1.pvt Su root # wlisign -a -k adm1.pvt /usr/bin/tarCat /tmp/.$WLIFSPARMS$ Tar -vtf tartest.tarBdf mydir Wlisys -k adm1.pvt -s wmdstoretype=pseudoBpbackup -f backuplist Bprestore -f backuplistAuthorizing an administrator key Quick setup examplesConfiguring WLI Authorizing a user keyCreating a Flac policy Testing a Flac policyFlac policies Enabling a Flac policyIbac policies Disabling an Ibac policy Removing an Ibac policyGlossary ASMPage Symbols IndexIndex
Related manuals
Manual 130 pages 58.55 Kb
Top Page Image Contents