Table of Contents | HP UX Security Products and Features Software

Table of Contents
1 Security features		9
1.1	File access policies	9
	1.1.1 File lock access controls	9
	1.1.2 Identity-based access controls	10
1.2	Capabilities	10
	1.2.1 mem	10
	1.2.2 wmd	10
	1.2.3 dlkm	10
	1.2.4 api	11
2 Product overview		13
2.1	WLI architecture	13
	2.1.1 Commands	14
	2.1.1.1 Application API	14
	2.1.1.2 Applications	15
	2.1.1.3 Stackable file system module	15
	2.1.1.4 Policy enforcement manager	15
	2.1.1.5 File systems	16
2.2	WLI database	16
2.3	WLI metadata files	16
	2.3.1 .$WLI_FSPARMS$	17
	2.3.2 .$WLI_POLICY$	17
	2.3.3 .$WLI_SIGNATURE$	17
3 Key usage		19
3.1 Generating keys		19
3.2	User keys	20
3.3	Administrator keys	20
4 Installing, removing, and upgrading		21
4.1	Installation requirements	21
4.2	Installing WLI	21
4.3	Removing WLI	22
4.4	Upgrading WLI	23
5 Configuring		25
5.1	Authorizing the recovery key	25
5.2	Authorizing administrator keys	25
5.3	Signing DLKMs	26
5.4 Backing up the WLI database		26
5.5 Rebooting to restricted mode		27
6 Enhancing security with WLI		29
6.1 Signing an executable binary		29
6.2	Creating a FLAC policy	29
6.3	Creating an IBAC policy	30
6.4	Removing a file access policy	30

Table of Contents

3

Image 3

HP UX Security Products and Features Software manual Table of Contents

Contents

HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page Security features File access policiesFile lock access controls Capabilities Identity-based access controls 4 api Page WLI architecture Product overview Application API Commands Applications WLI metadata files WLI database 3 .$WLISIGNATURE$ Page Generating keys Key usage User keys Administrator keys Installing, removing, and upgrading Installation requirementsInstalling WLI Removing WLI Upgrading WLI Page Configuring Authorizing the recovery keyAuthorizing administrator keys Backing up the WLI database Signing DLKMs Rebooting to restricted mode Page Enhancing security with WLI Signing an executable binaryCreating a Flac policy Removing a file access policy Enabling DLKMs to load during bootCreating an Ibac policy # kcmodule ciss=unused # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissWlisign -a -k adminpriv /usr/sbin/kcmodule Loading unsigned DLKMsPage Backup and restore considerations OverviewWLI database files Recommendations Policy protected and metadata filesWrite protected Read/write protected files Flac policies Ibac policiesMetadata files Page HP Serviceguard considerations AdministrationWLI database Policy protected files Lost WLI administrator key or passphrase Troubleshooting and known issuesSoftware distributor issues WLI reinstallation # kcmodule wli=unused # shutdown -r Wlisyspolicy -s mode=maintenance -k adminkeySu root # rm -r /etc/wli # tar -xf /tmp/wlikeydb.tar Support and other resources Contacting HPRelated information Typographic conventions WebsitesUser input Times Page # su wliusr1 # make cleanInstructions # make all Ibac add and delete program Flac add and delete program Ibac add and delete program Page Administration examples Su root # wlisign -a -k adm1.pvt /usr/bin/tar Wlicert -s -c wli.admin1 -o wmd -k adm1.pvt Wlisys -k adm1.pvt -s wmdstoretype=pseudo Tar -vtf tartest.tarBdf mydir Cat /tmp/.$WLIFSPARMS$ Bprestore -f backuplist Bpbackup -f backuplist Authorizing a user key Quick setup examplesConfiguring WLI Authorizing an administrator key Enabling a Flac policy Testing a Flac policyFlac policies Creating a Flac policy Ibac policies Removing an Ibac policy Disabling an Ibac policy ASM GlossaryPage Index Symbols Index