HP UX Security Products and Features Software manual Tar -vtf tartest.tar, Bdf mydir

Page 51

Using the administrator key adm1.pvt for authorization, tar is invoked as a child process of wliwrap. For details about the key signing and granting wmd, see Example B-2 (page 49).

You must restore the archive onto a file system with the same type of metadata storage as the generated archive. Otherwise, WLI can not enforce the policies.

If the archive metadata storage type is unknown, execute the following to look for policy metadata files:

%tar -vtf tartest.tar

rwxrwxrwx

0/0 0

Aug

8

02:32 2010

./tartest/.$WLI_POLICY$/

rwxrwxrwx

0/0 2048

Aug

8

02:52 2010

./tartest/.$WLI_POLICY$/tfile1

rw-r--r--

0/3

2048

Aug

6

03:21

2010

./tartest/.$WLI_POLICY$/tfile2

rw-r--r--

0/3

2048

Aug

8

02:47

2010

./tartest/.$WLI_POLICY$/tfile3

The archive contains metadata stored in regular files, not VxFS named streams.

To determine which policy protected files are already on the file system and the storage type, locate the file system root directory and query the metadata storage type:

% bdf mydir

Filesystem

kbytes

used

avail

%used

Mounted on

/dev/vg00/lvol4

5242880

85192

5117472

2%

/tmp

%cat /tmp/'.$WLI_FSPARMS$'

wmdtype=pseudo

The file system and archive storage types match, and it is safe to proceed.

If the file system root directory does not contain a .$WLI_FSPARMS$ file, the file system cannot contain policy protected files. If the file system has no policy protected files, the metadata storage type is determined by the value of the wmdstoretype attribute set with wlisys, not the metadata files restored from the archive. The user can set the correct storage type if necessary:

%wlisys -k adm1.pvt -s wmdstoretype=pseudo

The archive is now restored:

%wliwrap -k adm1.pvt -o wmd "/tar -xvf wrap.tar /tmp/tartest"

wliwrap: process capability wmd set

wliwrap: executing command: tar -xvf wrap.tar /tmp/tartest x ./tartest/tfile1 1 blocks

x ./tartest/tfile2 1 blocks x ./tartest/tfile3 1 blocks

x ./tartest/.$WLI_POLICY$/tfile1 4 blocks x ./tartest/.$WLI_POLICY$/tfile2 4 blocks x ./tartest/.$WLI_POLICY$/tfile3 4 blocks

Similar to Example B-2 (page 49), metadata files under .$WLI_SIGNATURE$ directories and

.$WLI_FSPARMS$ files can also be restored with the wliwrap command. Therefore, an entire file system can be restored with this procedure.

Example B-4 Backup and restore without wliwrap

The alternative to temporarily granting wmd capability with wliwrap is to permanently grant wmd with wlisign. This example describes how to create an archive containing policy protected files with a backup command granted permanent wmd capability. The archive is then restored with a restore command also granted permanent wmd capability.

For this example, the platform has VxFS 5.0.1 file systems installed and the wmdstoretype attribute has value auto, set by the wlisys command. This combination implies that named data streams are used to store policy protected metadata. Veritas NetBackup is then required to backup files with named data streams. The bpbackup and bprestore commands are installed for backup and restore operations respectively.

The commands are signed and granted wmd:

%wlisign -a -k adm1.pvt -o wmd /usr/openv/netbackup/bin/bpbackup

%wlisign -a -k adm1.pvt -o wmd /usr/openv/netbackup/bin/bprestore

51

Page 50 Page 52
Image 51
Page 50 Page 52
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page Security features File access policiesFile lock access controls Capabilities Identity-based access controls4 api Page WLI architecture Product overviewApplication API CommandsApplications WLI metadata files WLI database3 .$WLISIGNATURE$ Page Generating keys Key usageUser keys Administrator keysInstalling, removing, and upgrading Installation requirementsInstalling WLI Removing WLI Upgrading WLI Page Configuring Authorizing the recovery keyAuthorizing administrator keys Backing up the WLI database Signing DLKMsRebooting to restricted mode Page Enhancing security with WLI Signing an executable binaryCreating a Flac policy Removing a file access policy Enabling DLKMs to load during bootCreating an Ibac policy # kcmodule ciss=unused # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissWlisign -a -k adminpriv /usr/sbin/kcmodule Loading unsigned DLKMsPage Backup and restore considerations OverviewWLI database files Recommendations Policy protected and metadata filesWrite protected Read/write protected filesFlac policies Ibac policiesMetadata files Page HP Serviceguard considerations AdministrationWLI database Policy protected files Lost WLI administrator key or passphrase Troubleshooting and known issuesSoftware distributor issues WLI reinstallation# kcmodule wli=unused # shutdown -r Wlisyspolicy -s mode=maintenance -k adminkeySu root # rm -r /etc/wli # tar -xf /tmp/wlikeydb.tarSupport and other resources Contacting HPRelated information Typographic conventions WebsitesUser input Times Page # su wliusr1 # make cleanInstructions # make allIbac add and delete program Flac add and delete programIbac add and delete program Page Administration examples Su root # wlisign -a -k adm1.pvt /usr/bin/tar Wlicert -s -c wli.admin1 -o wmd -k adm1.pvtWlisys -k adm1.pvt -s wmdstoretype=pseudo Tar -vtf tartest.tarBdf mydir Cat /tmp/.$WLIFSPARMS$Bprestore -f backuplist Bpbackup -f backuplistAuthorizing a user key Quick setup examplesConfiguring WLI Authorizing an administrator keyEnabling a Flac policy Testing a Flac policyFlac policies Creating a Flac policyIbac policies Removing an Ibac policy Disabling an Ibac policyASM GlossaryPage Index SymbolsIndex
Top Page Image Contents