HP UX Security Products and Features Software manual Quick setup examples, Configuring WLI

Page 53

C Quick setup examples

This guide offers quick setup examples for installing WLI and creating file access policies.

C.1 Installing WLI

1.Go to the HP Software Depot: http://www.hp.com/go/softwaredepot

2.Click Security and manageability.

3.Scroll down and select HP-UX Whitelisting.

4.Click Installation at the bottom of the page.

5.Review the software requirements.

6.Click Receive for Free >> at the bottom of the page.

7.Sign in as a registered user. You need to register as a new user if you are not already registered.

8.Select WLI A.01.00 for HP-UX 11iv3 and complete the required fields.

9.Click Next >>.

10.Click Get Software at the bottom of the page.

11.On the Get Software tab, click Download Directly >> to receive the WLI depot.

12.On the Get Documentation tab, click Download Directly >> to receive the installation instructions.

13.For installation on platforms without HP-UX Serviceguard, complete the steps in HP-UX WLI Installation Procedure” included with the installation instructions.

14.On HP-UX Serviceguard clusters, consider cluster-wide installation. For details, consult “HP Serviceguard considerations” (page 37).

C.2 Configuring WLI

For details on configuring WLI, follow the procedure in “Configuring” (page 25), including generating the first administrator key as described in Section 5.2 (page 25). An administrator key can authorize execution of all WLI commands.

C.2.1 Authorizing an administrator key

The procedure to authorize an administrator key is described in “Configuring” (page 25). For example, assume adm is a user listed in /etc/passwd and owns the recovery key /home/adm/ recov.pvt authorized during WLI configuration. User adm enters the following to authorize /home/adm/adm.pvt as an administrator key:

%wliadm -n adm.admin1 -k /home/adm/recov.pvt /home/adm/adm.pub

A prompt appears for the passphrase for the recovery key.

As mentioned in “Configuring” (page 25), reboot the system to complete WLI configuration.

C.2.2 Authorizing a user key

You can optionally authorize user keys to generate file access policies and signatures. Authorizing the user key is necessary for WLI to enforce file access policies generated by a user key. To authorize a user key:

%wlicert -i<user>.<instance> -k<privkey> <pubkey> where:

<user> A valid user from /etc/passwd

<instance> An arbitrary string chosen by the user

<privkey> Any administrator private key

C.1 Installing WLI 53

Page 52 Page 54
Image 53
Page 52 Page 54
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File lock access controls Security featuresFile access policies Capabilities Identity-based access controls4 api Page WLI architecture Product overviewApplication API CommandsApplications WLI metadata files WLI database3 .$WLISIGNATURE$ Page Generating keys Key usageUser keys Administrator keysInstalling WLI Installing, removing, and upgradingInstallation requirements Removing WLI Upgrading WLI Page Authorizing administrator keys ConfiguringAuthorizing the recovery key Backing up the WLI database Signing DLKMsRebooting to restricted mode Page Creating a Flac policy Enhancing security with WLISigning an executable binary Creating an Ibac policy Removing a file access policyEnabling DLKMs to load during boot Wlisign -a -k adminpriv /usr/sbin/kcmodule # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissLoading unsigned DLKMs # kcmodule ciss=unusedPage WLI database files Backup and restore considerationsOverview Write protected Policy protected and metadata filesRead/write protected files RecommendationsMetadata files Flac policiesIbac policies Page WLI database HP Serviceguard considerationsAdministration Policy protected files Software distributor issues Troubleshooting and known issuesWLI reinstallation Lost WLI administrator key or passphraseSu root # rm -r /etc/wli Wlisyspolicy -s mode=maintenance -k adminkey# tar -xf /tmp/wlikeydb.tar # kcmodule wli=unused # shutdown -rRelated information Support and other resourcesContacting HP User input Typographic conventionsWebsites Times Page Instructions # make clean# make all # su wliusr1Ibac add and delete program Flac add and delete programIbac add and delete program Page Administration examples Su root # wlisign -a -k adm1.pvt /usr/bin/tar Wlicert -s -c wli.admin1 -o wmd -k adm1.pvtBdf mydir Tar -vtf tartest.tarCat /tmp/.$WLIFSPARMS$ Wlisys -k adm1.pvt -s wmdstoretype=pseudoBprestore -f backuplist Bpbackup -f backuplistConfiguring WLI Quick setup examplesAuthorizing an administrator key Authorizing a user keyFlac policies Testing a Flac policyCreating a Flac policy Enabling a Flac policyIbac policies Removing an Ibac policy Disabling an Ibac policyASM GlossaryPage Index SymbolsIndex
Top Page Image Contents