HP UX Security Products and Features Software Bpbackup -f backuplist, Bprestore -f backuplist

Page 52

To grant wmd to the commands, the adm1.pvt key must be a WLI administrator key. This key was granted administrator privilege in Example B-1 (page 49).

The bpbackup and bprestore commands are now able to backup and restore metadata in named data streams as well as in regular files. These commands have wmd capability that grants read/write access to all metadata, whether stored in named streams or in regular files under

.$WLI_POLICY$ directories. The wmd capability also permits bpbackup and bprestore to access policy protected files without permanent regard to policy restrictions. Due to security concerns, HP does not recommend granting a command permanent wmd capability.

For example, to start a user backup of the files listed in backup_list:

%bpbackup -f backup_list

To restore the files in backup_list:

%bprestore -f backup_list

File ownership and permissions bits must also allow access to bpbackup and bprestore.

52 Administration examples

Image 52

Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File access policies Security featuresFile lock access controls Identity-based access controls Capabilities4 api Page Product overview WLI architectureCommands Application APIApplications WLI database WLI metadata files3 .$WLISIGNATURE$ Page Key usage Generating keysAdministrator keys User keysInstallation requirements Installing, removing, and upgradingInstalling WLI Removing WLI Upgrading WLI Page Authorizing the recovery key ConfiguringAuthorizing administrator keys Signing DLKMs Backing up the WLI databaseRebooting to restricted mode Page Signing an executable binary Enhancing security with WLICreating a Flac policy Enabling DLKMs to load during boot Removing a file access policyCreating an Ibac policy # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/ciss Wlisign -a -k adminpriv /usr/sbin/kcmoduleLoading unsigned DLKMs # kcmodule ciss=unusedPage Overview Backup and restore considerationsWLI database files Policy protected and metadata files Write protectedRead/write protected files RecommendationsIbac policies Flac policiesMetadata files Page Administration HP Serviceguard considerationsWLI database Policy protected files Troubleshooting and known issues Software distributor issuesWLI reinstallation Lost WLI administrator key or passphraseWlisyspolicy -s mode=maintenance -k adminkey Su root # rm -r /etc/wli# tar -xf /tmp/wlikeydb.tar # kcmodule wli=unused # shutdown -rContacting HP Support and other resourcesRelated information Websites Typographic conventionsUser input Times Page # make clean Instructions# make all # su wliusr1Flac add and delete program Ibac add and delete programIbac add and delete program Page Administration examples Wlicert -s -c wli.admin1 -o wmd -k adm1.pvt Su root # wlisign -a -k adm1.pvt /usr/bin/tarTar -vtf tartest.tar Bdf mydirCat /tmp/.$WLIFSPARMS$ Wlisys -k adm1.pvt -s wmdstoretype=pseudoBpbackup -f backuplist Bprestore -f backuplistQuick setup examples Configuring WLIAuthorizing an administrator key Authorizing a user keyTesting a Flac policy Flac policiesCreating a Flac policy Enabling a Flac policyIbac policies Disabling an Ibac policy Removing an Ibac policyGlossary ASMPage Symbols IndexIndex

Related manuals

Manual 130 pages 58.55 Kb