Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software

2.1.1.5 File systems

WLI security features are imposed on all directories and regular files that reside in file systems

called through the VFS layer.

WLI generates metadata to keep track of its file access policies. Policy metadata might become

scattered in files throughout a file system. VxFS (aka JFS) at revision 5.0.1 or later is an exception

because metadata can be stored within a named stream. A named stream is associated with a

file inode, but is not accessible through the usual open() on the file.

Because a proprietary utility like Symantec NetBackup is required for backing up named streams,

the administrator may choose to have metadata stored on files only.

WLI also generates signature metadata for signed executable binaries. For native ELF binaries,

the metadata is stored within a special section of the file. PA-RISC binaries are also executable

on IA platforms, but their metadata is stored in files similar to policy metadata files.

Special device files within file systems are not affected by WLI with the exception of /dev/mem

and /dev/kmem. In restricted mode, access to these files is denied except to applications explicitly

granted the mem capability. For more information on WLI capabilities, see “Security features”

(page 9) and wli(5).

2.2 WLI database

WLI maintains a set of regular files and directories under /etc/wli. Some files contain

configuration data referenced during system boot, and others maintain user and administrator

key associations within WLI. These files are installed with WLI or are generated when WLI is

initialized, as described in “Configuring” (page 25). WLI prohibits write access to these files in

restricted mode. In maintenance mode, the entire database can be read or written without WLI

restrictions.

The following directories are under /etc/wli:

/etc/wli/keys

Directory containing password-encrypted administrator

private keys, one per file. In maintenance mode, the directory

can be read and written. Read/write access is prohibited for

all files in this directory in restricted mode.

/etc/wli/certificates

Directory containing public keys authorized for run-time

verification of file access policies.

The following files are under /etc/wli:

/etc/wli/wlicert.conf

File mapping WLI capabilities to authorized public keys.

For details on content, see wlicert.conf(4). WLI does not

permit write access to this file in restricted mode.

/etc/wli/wlisyspolicy.conf

File containing security parameters read into kernel

memory early in the HP-UX boot process. For details on

content, see wlisys(1M) and wlisyspolicy(1M).

/etc/wli/wlisys.conf

File containing initialization parameters for WLI kernel

components. For details on content, see wlisys(1M).

2.3 WLI metadata files

WLI generates at least one metadata file. The number of metadata files generated depends on

file system version, value of the wmdstoretype attribute, and file system type.

The following sections describe the metadata file types. All metadata file types have WLI write

protection in restricted mode. To override WLI protection for file backup, see Section 1.2.2

(page 10).

16 Product overview