HP UX Security Products and Features Software Disabling an Ibac policy, Removing an Ibac policy

Page 56

“Values in effect currently:”
write lock	protection (IBAC):	enabled
protection	mode:	restricted

If either of the above settings are not in effect, IBAC policy enforcement can be enabled with:

%wlisyspolicy -s mode=restricted,ibac=enabled -k /home/adm/adm.pvt

Access to all other executables is denied:

%/usr/bin/more /tmp/secret

/tmp/secret: Permission denied

%/usr/bin/head /tmp/secret

/tmp/secret: Permission denied

Any user with read permission on /tmp/secret can read it:

%cat /tmp/secret

hi there

C.4.4 Disabling an IBAC policy

After reboot of the system, the final task for WLI configuration, WLI is in the highest security state. To disable IBAC policy enforcement:

1.The administrator removes system-wide enforcement:

%wlisyspolicy -s ibac=disabled -k /home/adm/adm.pvt or

%wlisyspolicy -s mode=maintenance -k /home/adm/adm.pvt

The wlisyspolicy command returns a message indicating a reboot is necessary for the security downgrade to be in effect if the downgrade attribute has value deferred.

2.The administrator removes key /home/usr1/usr.pub authorization:

% wlicert -d usr1.key1 -k /home/adm/adm.pvt

C.4.5 Removing an IBAC policy

To remove an IBAC policy as user:

%wlipolicy -i -d -k /home/usr1/usr.pvt /tmp/secret

To remove an IBAC policy as administrator:

%wlipolicy -i -d -k /home/adm/adm.pvt /tmp/secret

56 Quick setup examples

Image 56

Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File lock access controls Security featuresFile access policies Identity-based access controls Capabilities4 api Page Product overview WLI architectureCommands Application APIApplications WLI database WLI metadata files3 .$WLISIGNATURE$ Page Key usage Generating keysAdministrator keys User keysInstalling WLI Installing, removing, and upgradingInstallation requirements Removing WLI Upgrading WLI Page Authorizing administrator keys ConfiguringAuthorizing the recovery key Signing DLKMs Backing up the WLI databaseRebooting to restricted mode Page Creating a Flac policy Enhancing security with WLISigning an executable binary Creating an Ibac policy Removing a file access policyEnabling DLKMs to load during boot # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/ciss Wlisign -a -k adminpriv /usr/sbin/kcmoduleLoading unsigned DLKMs # kcmodule ciss=unusedPage WLI database files Backup and restore considerationsOverview Policy protected and metadata files Write protectedRead/write protected files RecommendationsMetadata files Flac policiesIbac policies Page WLI database HP Serviceguard considerationsAdministration Policy protected files Troubleshooting and known issues Software distributor issuesWLI reinstallation Lost WLI administrator key or passphraseWlisyspolicy -s mode=maintenance -k adminkey Su root # rm -r /etc/wli# tar -xf /tmp/wlikeydb.tar # kcmodule wli=unused # shutdown -rRelated information Support and other resourcesContacting HP User input Typographic conventionsWebsites Times Page # make clean Instructions# make all # su wliusr1Flac add and delete program Ibac add and delete programIbac add and delete program Page Administration examples Wlicert -s -c wli.admin1 -o wmd -k adm1.pvt Su root # wlisign -a -k adm1.pvt /usr/bin/tarTar -vtf tartest.tar Bdf mydirCat /tmp/.$WLIFSPARMS$ Wlisys -k adm1.pvt -s wmdstoretype=pseudoBpbackup -f backuplist Bprestore -f backuplistQuick setup examples Configuring WLIAuthorizing an administrator key Authorizing a user keyTesting a Flac policy Flac policiesCreating a Flac policy Enabling a Flac policyIbac policies Disabling an Ibac policy Removing an Ibac policyGlossary ASMPage Symbols IndexIndex

Related manuals

Manual 130 pages 58.55 Kb