HP-UX Whitelisting A.01.02 Administrator Guide HP-UX 11iv3 Abstract This guide describes how to install, configure, and manage the HP-UX Whitelisting security infrastructure to enhance file security on HP-UX systems. This guide is intended for HP-UX security and file system engineers, managers, and the corresponding marketing, learning products, and support personnel. It is assumed that readers have knowledge of operating system concepts, commands, and configuration.
© Copyright 2010, 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents HP secure development lifecycle......................................................................6 1 Security features.........................................................................................7 File access policies...................................................................................................................7 File lock access controls........................................................................................................
WLI database files..................................................................................................................26 Write protected.................................................................................................................27 Read/write protected files...................................................................................................27 Recommendations.......................................................................................................
Removing an IBAC policy....................................................................................................47 Glossary....................................................................................................48 Index.........................................................................................................
HP secure development lifecycle Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides the ability to authenticate HP-UX software. Software delivered through this release has been digitally signed using HP's private key. You can now verify the authenticity of the software before installing the products, delivered through this release. To verify the software signatures in signed depot, the following products must be installed on your system: • B.11.31.
1 Security features HP-UX Whitelisting (WLI) provides security features complementary to discretionary access controls, sometimes referred to as DAC restrictions. DAC restrictions are based on defined users and groups, and the ownership and permission bits associated with every type of file. DAC restrictions are generated through user commands and enforced within the kernel domain on the processes comprising every application. WLI is a cryptographic key-based product.
Identity-based access controls Abbreviated as IBAC, this policy type denies access to a designated file or directory for all executables except those specifically authorized. File or directory access is normally granted to an executing binary if all access restrictions are met. In addition to traditional UNIX restrictions, an IBAC policy identifies a specific executable binary that, once authenticated, is permitted to access the protected file.
api WLI permits an application to execute functions contained within the shared object library /opt/ wli/lib/libwliapi.so by granting api capability. This library provides functions to programmatically create, delete, and update policies described in Section (page 7). The key signing the executable that invokes libwliapi.so functions must be granted api capability through wlicert. The executable is not required to have api capability.
2 Product overview WLI is a security enhancement product that relies on RSA keys and cryptographic algorithms to restrict access to regular files, directories, and certain protected resources. WLI is complementary to the traditional access restrictions imposed by file ownership and permission bits. An executable permitted by WLI to access a file does not bypass permission bit checks, ACLs, or other security mechanisms. For more detail on WLI commands and files, see the manpages installed with WLI.
Figure 1 WLI architecture Commands WLI commands are described in detail through the HP-UX manpage facility on installed platforms, and are not reproduced here.
The ability to execute functions within this library is a resource protected by WLI. As with other resources protected by WLI, access must explicitly be granted through WLI using authorized RSA keys. Applications Enforcement of WLI file access policies and resource restrictions is imposed on all applications and commands. Application binaries and files have no requirements for modification or relinking. A user may restrict application access to local files and directories through WLI commands.
File systems WLI security features are imposed on all directories and regular files that reside in file systems called through the VFS layer. WLI generates metadata to keep track of its file access policies. Policy metadata might become scattered in files throughout a file system. VxFS (aka JFS) at revision 5.0.1 or later is an exception because metadata can be stored within a named stream. A named stream is associated with a file inode, but is not accessible through the usual open() on the file.
metadata. The metadata storage type is indicated by the wmdstoretype parameter. For details, see wlisys(1M). The following storage types are available: auto If the file system is VxFS at revision 5.0.1 or later, metadata is stored in a named stream. A named stream is associated with the protected file inode and not accessible to most commands. For VxFS file systems at revision 5.0 or earlier and all other file system types, metadata storage is the same as described in the following entry for pseudo.
3 Key usage WLI defines two key types. User keys can sign executable binaries and generate file access policies. Administrator keys have all the authority of user keys, but also can be used to authorize changes to the WLI database. WLI depends on RSA keys for authorization of many of its command operations. A WLI command with the “1M” manpage designation means an administrator key is required to execute at least one command option, not the traditional root user (user ID 0).
% openssl rsa -in /wli/priv.pem -out /wli/pub.pem -pubout As in the previous example, a prompt appears for the private key passphrase because it is not included. RSA public keys are generally not considered secret quantities and are not encrypted. Not protecting public keys does not cause a security breach. WLI follows this convention. User keys A user key can have no authorization for WLI operations and still suffice for creating WLI file access policies and signing executable binaries.
4 Installing, removing, and upgrading To install, remove, or upgrade WLI, HP recommends the following procedures. Installation requirements Hardware requirement HP Integrity servers Operating system requirements The operating system must be HP-UX 11iv3 at level B.11.31.0909 or later. To determine the level of HP-UX 11iv3 installed on your system: % swlist | grep HPUX11i For example: % swlist | grep HPUX11i HPUX11i-DC-OE B.11.31.
6. 7. 8. 9. Enter your registration information. Read and accept the Terms and Conditions and the Software License Agreement. Click Next. Click Download. Save the HP-UX WhiteList Infrastructure bundle as a local file on your system. Use the file name /tmp/.depot, for example. Verify the depot file is saved on your system with the following command: # swlist -d @ /tmp/.depot 10. Install the bundle: # swinstall -x autoreboot=true -s /tmp/.depot WhiteListInf 11.
4. If allow security downgrade is deferred, a reboot is required for protection mode to switch to maintenance. Following reboot of the system, verify that protection mode is maintenance: % wlisyspolicy -g 5. 6. Log in to the target system as the root user. Remove WLI: % swremove -x autoreboot=true WhteListInf The machine automatically reboots after rebuilding the kernel without the WLI module. 7. Manual cleanup: WLI does not keep track of metadata files generated by WLI commands.
5 Configuring NOTE: Contents of this chapter are not applicable if WLI A.01.00 or WLI A.01.01 is already configured on your system and is being upgraded to WLI A.01.02. When WLI installation completes, the system reboots. The kernel rebuilt with WLI components becomes active for enabling WLI services.
% wliadm -i -k [-p ] where: is the public key file extracted from in PEM format. is an OpenSSL-generated RSA key file in PEM format. is the passphrase source and value. If the -p option is not included, A prompt appears for the passphrase at the /dev/tty device. You can execute this command only once for each installation. The specified key becomes the recovery key for WLI.
IMPORTANT: This procedure must be performed as root user. Root user authority is required to load and unload DLKMs. 1. Unload the DLKM: # kcmodule rng=unused 2. Sign the DLKM: # wlisign -a -k /home/jane/jane.priv /usr/conf/mod/rng 3. Load the DLKM: # kcmodule rng=best where: jane is a valid user ID. jane.priv is the key identifier. priv is an arbitrary string chosen by the administrator. It is important that the DLKM is reloaded after signing. Repeat these steps for all DLKMs loaded during boot.
6 Enhancing security with WLI This section describes basic operations that are intended to help the reader gain familiarity with WLI. This section assumes: • WLI is successfully initialized. • At least one administrator key is created. • The WLI security mode is restricted. • Both ibac and flac security attributes are enabled. For details on setting WLI security attributes, see wlisyspolicy(1M).
The policy metadata is created and resides in a protected file or named stream, depending on the current value of the metadata storage attribute and possibly the file system type. The administrator owns key admin.pvt. The administrator must authorize the user key for policy enforcement: % wlicert -i joe.key -k ./admin.pvt /home/joe/joepub The administrator chose identifier joe.key to represent the user's key in the WLI database. Now /home/joe/joefile is protected against deletion and alteration.
administrator owns WLI administrator key adminpriv. Like all administrator keys, adminpriv is authorized for signature verification automatically when it is granted WLI administrator authority. Following WLI installation the system reboots and WLI is initially in maintenance mode. Verify the DLKM to be signed is unloaded: IMPORTANT: This procedure must be performed as root user. Root user authority is required to load and unload DLKMs. 1. Unload the DLKM: # kcmodule ciss=unused 2.
7 Backup and restore considerations Overview This section describes how WLI-protected files are read from and written back to their original locations when the WLI security mode is restricted. Maintenance mode is necessary for some files to backup and restore. Because backup and restore procedures vary considerably across HP-UX installations, no specific commands or procedures are recommended.
Write protected WLI does not inhibit reading of write protected files. Files in this class can be read and backed up in accordance with the file ownership and permission bits. Files in this class are: /etc/wli/certificates/* /etc/wli.wlicert.conf /etc/wli/wlisys.conf /etc/wli/wlisyspolicy.conf For backup procedures, these files can be treated the same as other directories and regular files. Restoration of backup archives for these files is only recommended if the WLI database is corrupted.
FLAC policies A file with a FLAC policy can be read but cannot be overwritten unless wmd capability is granted to the executing process. FLAC protection is not enforced with wmd capability. This enables the file and its policy metadata to be restored from an archive over an existing copy of the FLAC-protected file. IBAC policies Without wmd capability, a file with an IBAC policy can be read or written only if an IBAC policy identifies the read or write command as an authorized executable.
8 HP Serviceguard considerations Overview HP Serviceguard provides clustering services at the application level for HA. If a critical component failure occurs on the designated primary node of a product, HP Serviceguard activates the product on an alternate node through failover package scripting. The failed-over product requires the same resources on the alternate nodes as were available on the primary node before the critical failure.
WLI installation and configuration on the cluster is now complete. Following reboot of all nodes, WLI is operational in restricted mode. To maintain the WLI database consistently and ensure product failovers will be successful, HP recommends the following procedure: 1. Execute WLI administrative commands wliadm, wlicert, wlisys, and wlisyspolicy identically on all nodes. This ensures the WLI database that includes all authorized user keys, granted capabilities and associations is uniform. 2.
9 Troubleshooting and known issues Software distributor issues Signing an ELF formatted binary adds a signature metadata section to the binary file. This action has the side effect of changing the file modification time and size. If the binary happens to be delivered as part of a product, the swverify command registers errors. If error free swverify analysis on a product is important, sign and use a duplicate of the command whenever practical.
For a WLI database archive to be internally consistent, the archive must contain all files residing under /etc/wli. These files must not have any intervening updates. The database is updated through the wliadm, wlicert, wlisys, and wlisyspolicy commands. The database can be restored from archive only with WLI security mode set as maintenance. The security mode is cached within kernel space, not read from the database.
10 Support and other resources Contacting HP Before you contact HP Be sure to have the following information available before you contact HP: • Technical support registration number (if applicable) • Product serial number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level HP contact information For the name of the nearest HP authorized reseller: • See the Contact HP worldwide (in
Click HP-UX OpenSSL Software. • Symantec NetBackup™ Snapshots, Continuous Data Protection, and Replication: http://eval.symantec.com/mktginfo/enterprise/white_papers/ b-techbrief_nbu_snapshots_replction_cdp_WP-20719041.en-us.pdf • For a high level description of HP-UX file systems, see HP-UX System Administrator's Guide: Overview HP-UX 11i Version 3: http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c02281492/ c02281492.pdf Websites • HP-UX Whitelisting documentation website: http://www.
{} The contents are required in syntax. If the contents are a list separated by |, you must choose one of the items. ... The preceding element can be repeated an arbitrary number of times. Indicates the continuation of a code example. | Separates items in a list of choices. WARNING A warning calls attention to important information that if not understood or followed will result in personal injury or nonrecoverable system problems.
11 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.
A libwliapi example This example demonstrates how libwliapi functions add and delete WLI file access policies. Instructions This example requires an authorized WLI administrator key. WLI administrator's private key Passphrase for 1. Copy the makefile and source files below to a test directory. 2. % su root 3. The makefile builds executables, adds user wliusr1, and generates ukey.pvt # make all 4. # wlicert -i wliusr1.inst1 -k -p pass: ukey.
user_setup: api_flac_test api_ibac_test ukey.pvt ukey.pub if ! grep -q wliusr1 /etc/passwd; then \ useradd wliusr1; \ chown wliusr1 flac_test; chmod a+w flac_test; \ chown wliusr1 ibac_test; chmod a+w ibac_test; \ chown wliusr1 api_flac_test; chmod u+w flac_test; \ chown wliusr1 api_ibac_test; chmod u+w ibac_test; \ chown wliusr1 ukey.pvt; chmod go-w ukey.pvt; \ chown wliusr1 ukey.pub; chmod go-w ukey.pub; \ clean: rm -f *.
*/ #include #include #include #include
B Administration examples Example 1 Execute manual WLI configuration The recovery key is authorized by root user: # wliadm -i recov.pub -k recov.pvt RSA key adm1.pvt is generated per HP recommendations and its public key extracted: # openssl genrsa -aes256 -out adm1.pvt 2048 # openssl rsa -in adm1.pvt -out adm1.pub -pubout RSA key adm1.pvt is granted WLI administrator authority by the recovery key: # wliadm -n adm1.key1 -k recov.pvt adm1.pub The public key extracted from adm1.pvt is adm1.pub.
Example 2 Backing up policy protected files HP recommends using wliwrap to backup and restore policy protected files and associated metadata when restricted mode is in effect. To avoid granting permanent wmd capability to the backup and restore commands, use wliwrap to enable wmd only for a single execution of a command. The user owns key adm1.pvt which was granted administrator authority in Example 1 (page 40). For this example, /usr/bin/tar is used for both backup and restore.
Example 3 Restoring policy protected files HP recommends using wliwrap to backup and restore policy protected files and associated metadata. Granting permanent wmd capability to a command with wliwrap is not necessary, as demonstrated in Example 2 (page 41). This example demonstrates how to restore the backup archive generated in Example 2 (page 41). As with the generation of the archive, the WLI security mode is restricted so all WLI file access policies are enforced.
Example 4 Backup and restore without wliwrap The alternative to temporarily granting wmd capability with wliwrap is to permanently grant wmd with wlisign. This example describes how to create an archive containing policy protected files with a backup command granted permanent wmd capability. The archive is then restored with a restore command also granted permanent wmd capability. For this example, the platform has VxFS 5.0.
C Quick setup examples This guide offers quick setup examples for installing WLI and creating file access policies. Installing WLI 1. Go to the HP Software Depot: http://www.hp.com/go/softwaredepot 2. 3. 4. 5. 6. 7. Click Security and manageability. Scroll down and select HP-UX Whitelisting. Click Installation at the bottom of the page. Review the software requirements. Click Receive for Free >> at the bottom of the page. Sign in as a registered user.
For example, user adm uses administrator key /home/adm/adm.pvt to authorize /home/usr1/ usr.pub as a WLI user key: % wlicert -i usr1.key1 -k /home/adm/adm.pvt /home/usr1/usr.pub FLAC policies A FLAC policy prevents a regular file or directory from being modified, deleted, or renamed. It also prevents change of ownership and permission bits, modification time, and other persistent information associated with the file. These restrictions apply to all users including root user.
Disabling a FLAC policy After reboot of the system, the final task for WLI configuration, WLI is in the highest security state. To disable FLAC policy enforcement: 1. The administrator removes system-wide enforcement: % wlisyspolicy -s flac=disabled -k /home/adm/adm.pvt or % wlisyspolicy -s mode=maintenance -k /home/adm/adm.pvt The wlisyspolicy command returns a message indicating a reboot is necessary for the security downgrade to be in effect if the downgrade attribute has value deferred. 2.
“Values in effect currently:” write lock protection (IBAC): protection mode: enabled restricted If either of the above settings are not in effect, IBAC policy enforcement can be enabled with: % wlisyspolicy -s mode=restricted,ibac=enabled -k /home/adm/adm.
Glossary ASM Oracle Automatic Storage Management authorized executable A signed binary executable specified in an IBAC policy. The executable is permitted access to the protected file also specified in the IBAC. CFS Veritas Cluster File System DAC Discretionary Based Access Controls. A traditional file access control used on Unix-based operating systems. DLKM Dynamically Loadable Kernel Module FAP File Access Policy. WLI metadata that restricts access to a regular file or directory.
Index Symbols FLAC policy, 23 .$WLI_FSPARMS$, 13 .$WLI_POLICY$, 14 .
S security enhancement, 23 security features, 7 serviceguard, 29 administration, 29 overview, 29 wli database, 29 signing executable binary, 23 software distributor issues, 31 stackable file system module, 12 support, 33 T troubleshooting, 31 typographic conventions, 34 U upgrading, 17, 19 user keys, 16 W wmd, 8 50 Index
