wlisys.1m (2011 03)
wlisys(1M)
Optional WLI Product Required
wlisys(1M)
NAME
wlisys - manage WLI system configuration attributes
SYNOPSIS
wlisys -h
wlisys -g
wlisys -k privkey [-p src:
val] -s wmdstoretype={auto
| pseudo}
DESCRIPTION
wlisys manages WLI configuration attributes necessary for the initialization of WLI kernel modules.
WLI configuration attributes are viewable by all users, but a WLI administrator private key is required to
authorize attribute update.
The attribute
wmdstoretype determines how WLI policy metadata is stored when a file access policy is
generated. See wlipolicy (1) for information on creating WLI file access policies. For each filesystem, the
wmdstoretype value is set when the first file access policy is created. All file access policies on a
filesystem must have the same wmdstoretype value.
All attributes managed with
wlisys have values stored in the file
/etc/wli/wlisys.conf
. This file
is read during system boot to cache attribute values in the kernel. The cached values are referenced for
WLI execution, not the file values. When an attribute managed by
wlisys is updated, the new value is
in effect immediately and also written to /etc/wli/wlisys.conf
.
If
/etc/wli/wlisys.conf
is missing or unreadable when WLI initializes at boot, the most secure
values for
wlisys attributes will be in effect. It is not critical for WLI operations that
/etc/wli/wlisys.conf
exists or is readable.
The
wlisys command is installed with the optional HP-UX Whitelisting (WLI) product.
Options
-g Prints out current and pending attribute values. Pending values will be in
effect following the next system reboot.
-h Displays wlisys command syntax.
-k privkey File containing a WLI administrator private key. This option is required with
the -s option.
-p src:val The passphrase source for privkey . For more information on passphrase syn-
tax, see wli (5).
-s wmdstoretype Determines how file access policy metadata is stored on file systems. The first
file access policy created on a file system sets the wmdstoretype value for
all subsequent policies created on the file system. If the value of wmdstore-
type is changed by wlisys, existing policy metadata stored by the previous
value is not affected.
There are two possible values for this attribute, with
auto being the default:
•
auto - For VxFS file systems at or above revision 5.0.1, named streams are
supported. A named stream will be used to store metadata for WLI file
access policies. A named stream is hidden from user access.
For file systems at or below VxFS revision 5.0, HFS and NFS, WLI meta-
data for a file access policy will be stored in a regular file in a directory
with the name
.$WLI_POLICY$. The .$WLI_POLICY$ directory will
reside in the same directory as the file for which the policy applies to. The
metadata directories and their files are protected as read-only by WLI.
•
pseudo - Regardless of the file system type or revision, a separate regular
file will be created to hold WLI policy metadata for each file. This storage
method matches that for the auto value when the file system is VxFS at or
below revision 5.0, HFS or NFS. This option permits a user to force meta-
data storage in regular files for VxFS file systems at revision 5.0.1 and
later.
HP recommends not changing
wmdstoretype once the first file access policy
has been created. Each file system stores the value of wmdstoretype in a
HP-UX 11iv3: Sep 2010 Web Release − 1 − Hewlett-Packard Company 1