6 Enhancing security with WLI

This section describes basic operations that are intended to help the reader gain familiarity with WLI. This section assumes:

WLI is successfully initialized.

At least one administrator key is created.

The WLI security mode is restricted.

Both ibac and flac security attributes are enabled.

For details on setting WLI security attributes, see wlisyspolicy(1M).

6.1 Signing an executable binary

In the following example, a user wants to sign /usr/bin/vi to make it an authorized executable. Only authorized executables can be designated to access IBAC-protected files. The user does not have superuser authority and /usr/bin/vi permission bits do not allow the user to write a WLI signature. The user decides to copy the binary into the home directory. This allows the user to set permission bits and set WLI access restrictions.

User procedure:

1.Create an RSA key as described in Section 3.1 (page 19).

2.Store the private and public key files in the home directory as joepriv1 and joepub1.

3.Copy the binary:

%cd /home/joe; cp /usr/bin/vi joe_vi

4.Adjust permissions:

%chmod ug+w joe_vi

5.Sign it:

%wlisign -a -k joepriv1 joe_vi

For a process executing joe_vi to be authenticated, the public key must be stored in the WLI database. Storing the public key in the database requires an administrator key.

Administrator procedure:

Use the private key admin.pvt to authorize the user’s public key for signature verification:

% wlicert -i joe.key1 -k admin.pvt /home/joe/joepub1

The public key is now in the WLI database and available for verifying signatures in both signature and policy metadata. The joe_vi command will authenticate when it is used to open files that specify it in an IBAC policy.

6.2 Creating a FLAC policy

A user owns file /home/joe/joefile and wants to make it available to all, but protect it against modification or deletion by all other users including superuser.

User procedure:

1.Create an RSA key as described in Section 3.1 (page 19).

2.Store the private and public key files as joepriv and joepub. The user has chosen /home/ joe for key storage in the following steps.

3.Create the FLAC policy:

% wlipolicy -f -a -k /home/joe/joepriv /home/joe/joefile

6.1 Signing an executable binary

29

Page 29
Image 29
HP UX Security Products and Features Software manual Enhancing security with WLI, Signing an executable binary