Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
51525354555657585960
C.3.4 Disabling a FLAC policy
After reboot of the system, the final task for WLI configuration, WLI is in the highest security
state. To disable FLAC policy enforcement:
1. The administrator removes system-wide enforcement:
% wlisyspolicy -s flac=disabled -k /home/adm/adm.pvt
or
% wlisyspolicy -s mode=maintenance -k /home/adm/adm.pvt
The wlisyspolicy command returns a message indicating a reboot is necessary for the
security downgrade to be in effect if the downgrade attribute has value deferred.
2. The administrator removes /home/usr1/usr.pub authorization:
% wlicert -d usr1.key1 -k /home/adm/adm.pvt
C.3.5 Removing a FLAC policy
To remove a FLAC policy as user:
% wlipolicy -f -d -k /home/usr1/usr.pvt /tmp/passwd
To remove a FLAC policy as administrator:
% wlipolicy -f -d -k /home/adm/adm.pvt /tmp/passwd
C.4 IBAC policies
An IBAC policy prevents a regular file or directory from being accessed by all binary executables
except those explicitly identified. The access restrictions apply to all users including root user.
Multiple IBAC policies can be assigned to a file. A user must own a file to assign it an IBAC
policy. In the following example, the file /tmp/secret is assigned an IBAC policy allowing
/usr/bin/cat access. The administrator private key is /home/adm/adm.pvt. The user private
key file is /home/usr1/usr.pvt and the user public key file is /home/usr1/usr.pub.
C.4.1 Creating an IBAC policy
A binary executable must be signed to be specified in an IBAC policy. To sign /usr/bin/cat:
% wlisign -a -k /home/usr1/usr.pvt /usr/bin/cat
The user must have write permission on /usr/bin/cat. Normally only root with user ID 0 can
generate this signature.
To generate the IBAC policy:
% wlipolicy -i -a -k /home/usr1/usr.pvt -e /usr/bin/cat /tmp/secret
A prompt appears for the passphrase for /home/usr1/usr.pvt in both previous operations.
C.4.2 Enabling an IBAC policy
To enforce the IBAC policy:
% wlicert -i usr1.key1 -k /home/adm/adm.pvt /home/usr1/usr.pub
A prompt appears for the passphrase for /home/adm/adm.pvt.
C.4.3 Testing an IBAC policy
For example, the IBAC created and enabled in the previous example is tested. Assume /tmp/
secret has only the IBAC policy for /usr/bin/cat, as assigned in the previous example.
Verify system-wide policy enforcement is in effect:
% wlisyspolicy -g
The returned messages must include:
C.4 IBAC policies 55