Manuals / Brands / Computer Equipment / Software / HP / Computer Equipment / Software

HP UX Whitelisting Glossary, ASM, CFS, DAC, FAP, rng, RSA, VFS, DLKM, FLAC, IBAC, mode, sources, authorized, executable, maintenance, named stream, restricted mode

1 62

Download 62 pages, 731.73 Kb

Glossary

ASM	Oracle Automatic Storage Management
authorized	A signed binary executable specified in an IBAC policy. The executable is permitted access to
executable	the protected file also specified in the IBAC.
CFS	Veritas Cluster File System
DAC	Discretionary Based Access Controls. A traditional file access control used on Unix-based
	operating systems.
DLKM	Dynamically Loadable Kernel Module
FAP	File Access Policy. WLI metadata that restricts access to a regular file or directory. IBAC and
	FLAC policies are FAPs. A file can have multiple IBAC policies but only one FLAC.
FLAC	File Lock Access Control. This file access policy restricts access to read-only for all executables.
HA	High Availability
IBAC	Identity Based Access Control. This file access policy restricts access to an authorized executable.
maintenance	WLI does not enforce file access policies and resource restrictions. All read and write protection
mode	on WLI database files is disabled.
named stream	VxFS feature that allows a single file inode to be associated with multiple data streams. On
	VxFS 5.0.1 and later VxFS revisions, WLI stores policy and signature metadata in a named
	stream associated with the file for which the policy or signature applies.
restricted mode	WLI enforces file access policies and resource restrictions in accord with other security attributes.
	Read and write protection on WLI database files is enabled.
rng	The HP-UX kernel random number generator. Strong random numbers are generated from the
	informational entropy in system interrupt arrival times from networking and other external
	sources.
RSA	Rivest, Shamir & Adleman. Algorithms and protocol for generating asymmetric cryptographic
	keys and establishing secure communications.
VFS	Virtual File System. The kernel component that virtualizes file system operations for NFS, HFS,
	and VxFS for storage management on physical media.

57

Contents

HP-UX11iv3 Page Table of Contents 7 Backup and restore considerations 8 HP Serviceguard considerations 9 Troubleshooting and known issues Lost WLI administrator key or passphrase 10 Support and other resources Glossary Index List of Figures List of Examples Page 1 Security features 1.1 File access policies 1.1.1 File lock access controls 1.1.2 Identity-basedaccess controls 1.2 Capabilities 1.2.4api libwliapi example” (page 45) Page 2 Product overview 2.1 WLI architecture 2.1.1 Commands 2.1.1.1 Application API 2.1.1.2 Applications 2.1.1.3 Stackable file system module 2.1.1.4 Policy enforcement manager 2.1.1.5 File systems 2.2 WLI database 2.3 WLI metadata files 2.3.1.$WLI_FSPARMS$ auto pseudo pseudo Metadata is stored separately in files within directories always named Page 3 Key usage 3.1 Generating keys 3.2 User keys 3.3Administrator keys 4 Installing, removing, and upgrading 4.1 Installation requirements Hardware requirement Operating system requirements Patch requirements 4.3Removing WLI 4.4Upgrading WLI Page 5 Configuring 5.1Authorizing the recovery key 5.2 Authorizing administrator keys 5.3 Signing DLKMs 5.4 Backing up the WLI database 5.5 Rebooting to restricted mode Page 6 Enhancing security with WLI 6.1 Signing an executable binary 6.2 Creating a FLAC policy 6.3 Creating an IBAC policy 6.4 Removing a file access policy 6.5 Enabling DLKMs to load during boot 6.6 Loading unsigned DLKMs Page 7 Backup and restore considerations 7.1 Overview 7.2WLI database files 7.2.1 Write protected 7.2.2 Read/write protected files 7.3 Policy protected and metadata files 7.3.1 FLAC policies 7.3.2 IBAC policies 7.3.3 Metadata files 7.3.4Recommendations Page 8 HP Serviceguard considerations 8.1 Overview 8.2 Administration 8.2.1WLI database 8.2.2Policy protected files 9 Troubleshooting and known issues 9.1 Software distributor issues 9.2WLI reinstallation 9.3Lost WLI administrator key or passphrase 9.4 WLI database corruption %wlisyspolicy -smode=maintenance -k <admin_key #rm -r /etc/wli #tar -xf /tmp/wlikeydb.tar #kcmodule wli=unused #kcmodule wli=static 10 Support and other resources 10.1 Contacting HP 10.1.1 Before you contact HP 10.1.2HP contact information 10.1.3Subscription service 10.3Typographic conventions Page Page example A.1 Instructions A.3 FLAC add and delete program A.4 IBAC add and delete program Page Page B Administration examples #wlisign -a -kadm1.pvt /usr/bin/tar /usr/bin/tar %wlicert -s -cwli.admin1 -owmd -kadm1.pvt %wliwrap -kadm1.pvt -owmd "/tar -cvftartest.tar /tmp/tartest tartest.tar %tar -vtftartest.tar The archive contains metadata stored in regular files, not VxFS named streams % bdf mydir %cat /tmp/'.$WLI_FSPARMS$ wmdtype=pseudo For example, to start a user backup of the files listed in backup_list: %bpbackup -fbackup_list To restore the files in backup_list: %bprestore -fbackup_list C Quick setup examples C.1 Installing WLI C.2 Configuring WLI C.2.1 Authorizing an administrator key C.2.2 Authorizing a user key C.3 FLAC policies C.3.1 Creating a FLAC policy C.3.2 Enabling a FLAC policy C.3.3 Testing a FLAC policy C.3.4 Disabling a FLAC policy C.4 IBAC policies C.4.1 Creating an IBAC policy C.4.2 Enabling an IBAC policy C.4.3 Testing an IBAC policy C.4.4 Disabling an IBAC policy C.4.5 Removing an IBAC policy Glossary Page Index Symbols