Manualshelf

HP-UX Whitelisting A.01.02 Administrator Guide (766164-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Whitelisting
11121314151617181920
metadata. The metadata storage type is indicated by the wmdstoretype parameter. For details,
see wlisys(1M). The following storage types are available:
auto If the file system is VxFS at revision 5.0.1 or later, metadata is stored in a named stream.
A named stream is associated with the protected file inode and not accessible to most
commands. For VxFS file systems at revision 5.0 or earlier and all other file system
types, metadata storage is the same as described in the following entry for pseudo.
pseudo Metadata is stored separately in files within directories always named .$WLI_POLICY$,
described in the following section. These metadata directories always reside in the
parent directory of the policy protected files.
.$WLI_POLICY$
Directories named .$WLI_POLICY$ contain policy metadata files, and appear if the
wmdstoretype parameter has value pseudo, or the file system type is VxFS 5.0 or earlier. These
directories also appear for all non-VxFS file systems. In addition to write protection, WLI does not
allow read access to all files under directories with this name.
Each file in this directory has the same name as a file that is assigned an access policy through
wlipolicy in the parent directory. For example, if /tmp contains the following files with WLI
access policies:
% ls -l /tmp/JdMB4NJ1 /tmp/T1df07xe
-rw------- 1 joe users 2723 May 4 14:49 /tmp/JdMB4NJ1
-rw------- 1 joe users 8199 Jun 3 20:46 /tmp/T1df07xe
Then, /tmp/ .$WLI_POLICY$ contains the corresponding policy metadata files:
% ls -l /tmp/.\$WLI_POLICY\$
-rw------- 1 joe users 2048 Jul 15 15:29 JdMB4NJ1
-rw------- 1 joe users 2048 Jun 3 20:47 T1df07xe
NOTE: The ’\’ escape character is used to escape ‘$’, a special character to shell interpreters.
.$WLI_SIGNATURE$
Directories named .$WLI_SIGNATURE$ contain signature metadata files. In addition to write
protection, WLI does not allow read access to all files under directories with this name.
Each file in this directory has the same name as a non ELF binary that is signed with wlisign in
the parent directory. For example, if /tmp contains non ELF binaries:
% ls -l CXkiELYm wpSzpxzI
-rw------- 1 joe users 1809 Dec 9 2009 /tmp/CXkiELYm
-rw------- 1 joe users 1809 Mar 21 03:13 /tmp/wpSzpxzI
Then, /tmp/ .$WLI_SIGNATURE$ contains the corresponding signature metadata files:
% ls -l /tmp/.\$WLI_SIGNATURE\$
-rw------- 1 joe users 2048 Jul 15 01:33 /tmp/CXkiELYm
-rw------- 1 joe users 2048 Jul 15 01:36 /tmp/wpSzpxzI
NOTE: The ’\’ escape character is used to escape ‘$’, a special character to shell interpreters.
ELF-formatted binaries signed by wlitool or wlisign store their signature metadata within a
section of the binary file and do not have separate metadata files.
14 Product overview