Manuals / Brands / Computer Equipment / Software / HP / Computer Equipment / Software

HP UX Whitelisting 6.6 Loading unsigned DLKMs, dlkm, dlkm, dlkm, wlicert, wliwrap, process, adminpub, kcmodule, %su root, adminpriv, adminpriv, adminpriv, adminpriv

1 62

Download 62 pages, 731.73 Kb

during boot. To enable boot-time loading of a DLKM, it must be signed by an authorized key. The administrator owns WLI administrator key adminpriv. Like all administrator keys, adminpriv is authorized for signature verification automatically when it is granted WLI administrator authority.

Following WLI installation the system reboots and WLI is initially in maintenance mode. Verify the DLKM to be signed is unloaded:

IMPORTANT: This procedure must be performed as root user. Root user authority is required to load and unload DLKMs.

1.Unload the DLKM:

#kcmodule ciss=unused

2.Sign the DLKM:

#wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/ciss

3.Load the DLKM:

#kcmodule ciss=loaded

A root user needs to repeat these steps if usr/conf/mod/ciss is replaced by software update.

Signing with an authorized user key is also sufficient. The key does not require WLI administrator authority.

NOTE: Granting dlkm capability to the authorizing key or to the dlkm is not necessary.

6.6 Loading unsigned DLKMs

The following example demonstrates how a WLI administrator can dynamically load /usr/ conf/mod/bigdlkm into the kernel domain, without writing a signature. The current state of the DLKM is unused, and the administrator owns administrator key adminpriv with extracted public key adminpub. Because WLI capabilities are not granted to keys automatically, the administrator must grant dlkm capability to adminpriv with wlicert:

%cd /home/admin1%wlicert -c admin1.key1 -s -k adminpriv -o -dlkmThe key adminpriv granted dlkm capability to itself.

An administrator key must also be used to sign /usr/sbin/kcmodule, the command that loads the unsigned DLKM. Granting dlkm capability to the command is not necessary:

%wlisign -a -k adminpriv /usr/sbin/kcmodule

The wliwrap command now executes kcmodule as a child process. Because WLI does not affect non-WLI restrictions, it is necessary to become root user to satisfy the effective user ID requirement for executing /usr/sbin/kcmodule.

%su root#wliwrap -k adminpriv -o -dlkm “/usr/sbin/kcmodule bigdlkm=loaded”

In this example, the wliwrap command temporarily added dlkm capability to the kcmodule process.

6.6 Loading unsigned DLKMs 31

Contents

HP-UX11iv3 Page Table of Contents 7 Backup and restore considerations 8 HP Serviceguard considerations 9 Troubleshooting and known issues Lost WLI administrator key or passphrase 10 Support and other resources Glossary Index List of Figures List of Examples Page 1 Security features 1.1 File access policies 1.1.1 File lock access controls 1.1.2 Identity-basedaccess controls 1.2 Capabilities 1.2.4api libwliapi example” (page 45) Page 2 Product overview 2.1 WLI architecture 2.1.1 Commands 2.1.1.1 Application API 2.1.1.2 Applications 2.1.1.3 Stackable file system module 2.1.1.4 Policy enforcement manager 2.1.1.5 File systems 2.2 WLI database 2.3 WLI metadata files 2.3.1.$WLI_FSPARMS$ auto pseudo pseudo Metadata is stored separately in files within directories always named Page 3 Key usage 3.1 Generating keys 3.2 User keys 3.3Administrator keys 4 Installing, removing, and upgrading 4.1 Installation requirements Hardware requirement Operating system requirements Patch requirements 4.3Removing WLI 4.4Upgrading WLI Page 5 Configuring 5.1Authorizing the recovery key 5.2 Authorizing administrator keys 5.3 Signing DLKMs 5.4 Backing up the WLI database 5.5 Rebooting to restricted mode Page 6 Enhancing security with WLI 6.1 Signing an executable binary 6.2 Creating a FLAC policy 6.3 Creating an IBAC policy 6.4 Removing a file access policy 6.5 Enabling DLKMs to load during boot 6.6 Loading unsigned DLKMs Page 7 Backup and restore considerations 7.1 Overview 7.2WLI database files 7.2.1 Write protected 7.2.2 Read/write protected files 7.3 Policy protected and metadata files 7.3.1 FLAC policies 7.3.2 IBAC policies 7.3.3 Metadata files 7.3.4Recommendations Page 8 HP Serviceguard considerations 8.1 Overview 8.2 Administration 8.2.1WLI database 8.2.2Policy protected files 9 Troubleshooting and known issues 9.1 Software distributor issues 9.2WLI reinstallation 9.3Lost WLI administrator key or passphrase 9.4 WLI database corruption %wlisyspolicy -smode=maintenance -k <admin_key #rm -r /etc/wli #tar -xf /tmp/wlikeydb.tar #kcmodule wli=unused #kcmodule wli=static 10 Support and other resources 10.1 Contacting HP 10.1.1 Before you contact HP 10.1.2HP contact information 10.1.3Subscription service 10.3Typographic conventions Page Page example A.1 Instructions A.3 FLAC add and delete program A.4 IBAC add and delete program Page Page B Administration examples #wlisign -a -kadm1.pvt /usr/bin/tar /usr/bin/tar %wlicert -s -cwli.admin1 -owmd -kadm1.pvt %wliwrap -kadm1.pvt -owmd "/tar -cvftartest.tar /tmp/tartest tartest.tar %tar -vtftartest.tar The archive contains metadata stored in regular files, not VxFS named streams % bdf mydir %cat /tmp/'.$WLI_FSPARMS$ wmdtype=pseudo For example, to start a user backup of the files listed in backup_list: %bpbackup -fbackup_list To restore the files in backup_list: %bprestore -fbackup_list C Quick setup examples C.1 Installing WLI C.2 Configuring WLI C.2.1 Authorizing an administrator key C.2.2 Authorizing a user key C.3 FLAC policies C.3.1 Creating a FLAC policy C.3.2 Enabling a FLAC policy C.3.3 Testing a FLAC policy C.3.4 Disabling a FLAC policy C.4 IBAC policies C.4.1 Creating an IBAC policy C.4.2 Enabling an IBAC policy C.4.3 Testing an IBAC policy C.4.4 Disabling an IBAC policy C.4.5 Removing an IBAC policy Glossary Page Index Symbols