Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
51525354555657585960
Values in effect currently:
write lock protection (IBAC): enabled
protection mode: restricted
If either of the above settings are not in effect, IBAC policy enforcement can be enabled with:
% wlisyspolicy -s mode=restricted,ibac=enabled -k /home/adm/adm.pvt
Access to all other executables is denied:
% /usr/bin/more /tmp/secret
/tmp/secret: Permission denied
% /usr/bin/head /tmp/secret
/tmp/secret: Permission denied
Any user with read permission on /tmp/secret can read it:
% cat /tmp/secret
hi there
C.4.4 Disabling an IBAC policy
After reboot of the system, the final task for WLI configuration, WLI is in the highest security
state. To disable IBAC policy enforcement:
1. The administrator removes system-wide enforcement:
% wlisyspolicy -s ibac=disabled -k /home/adm/adm.pvt
or
% wlisyspolicy -s mode=maintenance -k /home/adm/adm.pvt
The wlisyspolicy command returns a message indicating a reboot is necessary for the
security downgrade to be in effect if the downgrade attribute has value deferred.
2. The administrator removes key /home/usr1/usr.pub authorization:
% wlicert -d usr1.key1 -k /home/adm/adm.pvt
C.4.5 Removing an IBAC policy
To remove an IBAC policy as user:
% wlipolicy -i -d -k /home/usr1/usr.pvt /tmp/secret
To remove an IBAC policy as administrator:
% wlipolicy -i -d -k /home/adm/adm.pvt /tmp/secret
56 Quick setup examples