HP UX Security Products and Features Software Disabling an Ibac policy, Removing an Ibac policy

If either of the above settings are not in effect, IBAC policy enforcement can be enabled with:

%wlisyspolicy -s mode=restricted,ibac=enabled -k /home/adm/adm.pvt

Access to all other executables is denied:

%/usr/bin/more /tmp/secret

/tmp/secret: Permission denied

%/usr/bin/head /tmp/secret

/tmp/secret: Permission denied

Any user with read permission on /tmp/secret can read it:

%cat /tmp/secret

hi there

C.4.4 Disabling an IBAC policy

After reboot of the system, the final task for WLI configuration, WLI is in the highest security state. To disable IBAC policy enforcement:

1.The administrator removes system-wide enforcement:

%wlisyspolicy -s ibac=disabled -k /home/adm/adm.pvt or

%wlisyspolicy -s mode=maintenance -k /home/adm/adm.pvt

The wlisyspolicy command returns a message indicating a reboot is necessary for the security downgrade to be in effect if the downgrade attribute has value deferred.

2.The administrator removes key /home/usr1/usr.pub authorization:

% wlicert -d usr1.key1 -k /home/adm/adm.pvt

C.4.5 Removing an IBAC policy

To remove an IBAC policy as user:

%wlipolicy -i -d -k /home/usr1/usr.pvt /tmp/secret

To remove an IBAC policy as administrator:

%wlipolicy -i -d -k /home/adm/adm.pvt /tmp/secret

56 Quick setup examples