Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
31323334353637383940
7.3.1 FLAC policies
A file with a FLAC policy can be read but cannot be overwritten unless wmd capability is granted
to the executing process. FLAC protection is not enforced with wmd capability. This enables the
file and its policy metadata to be restored from an archive over an existing copy of the
FLAC-protected file.
7.3.2 IBAC policies
Without wmd capability, a file with an IBAC policy can be read or written only if an IBAC policy
identifies the read or write command as an authorized executable. IBAC policies are effectively
overridden by wmd, permitting backup and restore operations to complete successfully. Therefore,
wmd capability must be granted to backup and restore operations that involve WLI policy protected
files.
7.3.3 Metadata files
WLI metadata files are described in Section 2.3 (page 16). The WLI protections are in effect only
in restricted mode. All WLI metadata file protections are overridden when wmd capability is
granted to the executing process. This permits all metadata to be archived and restored together
with the files pertaining to the metadata.
7.3.4 Recommendations
HP recommends using wliwrap to grant wmd capability. The wliwrap command grants
wmd only during execution of a backup or restore operation. A key that is granted wmd is
then always necessary to execute backup and restore operations.
Refresh backups of policy protected files immediately following creation of new policies.
Archives on policy protected files and metadata can easily be created and refreshed in
restricted mode.
7.3 Policy protected and metadata files 35