HP UX Security Products and Features Software manual Ibac policies

Page 55

C.3.4 Disabling a FLAC policy

After reboot of the system, the final task for WLI configuration, WLI is in the highest security state. To disable FLAC policy enforcement:

1.The administrator removes system-wide enforcement:

%wlisyspolicy -s flac=disabled -k /home/adm/adm.pvt or

%wlisyspolicy -s mode=maintenance -k /home/adm/adm.pvt

The wlisyspolicy command returns a message indicating a reboot is necessary for the security downgrade to be in effect if the downgrade attribute has value deferred.

2.The administrator removes /home/usr1/usr.pub authorization:

% wlicert -d usr1.key1 -k /home/adm/adm.pvt

C.3.5 Removing a FLAC policy

To remove a FLAC policy as user:

%wlipolicy -f -d -k /home/usr1/usr.pvt /tmp/passwd

To remove a FLAC policy as administrator:

%wlipolicy -f -d -k /home/adm/adm.pvt /tmp/passwd

C.4 IBAC policies

An IBAC policy prevents a regular file or directory from being accessed by all binary executables except those explicitly identified. The access restrictions apply to all users including root user. Multiple IBAC policies can be assigned to a file. A user must own a file to assign it an IBAC policy. In the following example, the file /tmp/secret is assigned an IBAC policy allowing /usr/bin/cat access. The administrator private key is /home/adm/adm.pvt. The user private key file is /home/usr1/usr.pvt and the user public key file is /home/usr1/usr.pub.

C.4.1 Creating an IBAC policy

A binary executable must be signed to be specified in an IBAC policy. To sign /usr/bin/cat:

%wlisign -a -k /home/usr1/usr.pvt /usr/bin/cat

The user must have write permission on /usr/bin/cat. Normally only root with user ID 0 can generate this signature.

To generate the IBAC policy:

%wlipolicy -i -a -k /home/usr1/usr.pvt -e /usr/bin/cat /tmp/secret

A prompt appears for the passphrase for /home/usr1/usr.pvt in both previous operations.

C.4.2 Enabling an IBAC policy

To enforce the IBAC policy:

%wlicert -i usr1.key1 -k /home/adm/adm.pvt /home/usr1/usr.pub

A prompt appears for the passphrase for /home/adm/adm.pvt.

C.4.3 Testing an IBAC policy

For example, the IBAC created and enabled in the previous example is tested. Assume /tmp/ secret has only the IBAC policy for /usr/bin/cat, as assigned in the previous example. Verify system-wide policy enforcement is in effect:

%wlisyspolicy -g

The returned messages must include:

C.4 IBAC policies 55

Page 54 Page 56
Image 55
Page 54 Page 56
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File access policies Security featuresFile lock access controls Capabilities Identity-based access controls4 api Page WLI architecture Product overviewApplication API CommandsApplications WLI metadata files WLI database3 .$WLISIGNATURE$ Page Generating keys Key usageUser keys Administrator keysInstallation requirements Installing, removing, and upgradingInstalling WLI Removing WLI Upgrading WLI Page Authorizing the recovery key ConfiguringAuthorizing administrator keys Backing up the WLI database Signing DLKMsRebooting to restricted mode Page Signing an executable binary Enhancing security with WLICreating a Flac policy Enabling DLKMs to load during boot Removing a file access policyCreating an Ibac policy # kcmodule ciss=unused # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissWlisign -a -k adminpriv /usr/sbin/kcmodule Loading unsigned DLKMsPage Overview Backup and restore considerationsWLI database files Recommendations Policy protected and metadata filesWrite protected Read/write protected filesIbac policies Flac policiesMetadata files Page Administration HP Serviceguard considerationsWLI database Policy protected files Lost WLI administrator key or passphrase Troubleshooting and known issuesSoftware distributor issues WLI reinstallation# kcmodule wli=unused # shutdown -r Wlisyspolicy -s mode=maintenance -k adminkeySu root # rm -r /etc/wli # tar -xf /tmp/wlikeydb.tarContacting HP Support and other resourcesRelated information Websites Typographic conventionsUser input Times Page # su wliusr1 # make cleanInstructions # make allIbac add and delete program Flac add and delete programIbac add and delete program Page Administration examples Su root # wlisign -a -k adm1.pvt /usr/bin/tar Wlicert -s -c wli.admin1 -o wmd -k adm1.pvtWlisys -k adm1.pvt -s wmdstoretype=pseudo Tar -vtf tartest.tarBdf mydir Cat /tmp/.$WLIFSPARMS$Bprestore -f backuplist Bpbackup -f backuplistAuthorizing a user key Quick setup examplesConfiguring WLI Authorizing an administrator keyEnabling a Flac policy Testing a Flac policyFlac policies Creating a Flac policyIbac policies Removing an Ibac policy Disabling an Ibac policyASM GlossaryPage Index SymbolsIndex
Related manuals
Manual 130 pages 58.55 Kb
Top Page Image Contents