Manualshelf

HP-UX Whitelisting A.01.02 Administrator Guide (766164-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Whitelisting
21222324252627282930
6 Enhancing security with WLI
This section describes basic operations that are intended to help the reader gain familiarity with
WLI. This section assumes:
WLI is successfully initialized.
At least one administrator key is created.
The WLI security mode is restricted.
Both ibac and flac security attributes are enabled.
For details on setting WLI security attributes, see wlisyspolicy(1M).
Signing an executable binary
In the following example, a user wants to sign /usr/bin/vi to make it an authorized executable.
Only authorized executables can be designated to access IBAC-protected files. The user does not
have superuser authority and /usr/bin/vi permission bits do not allow the user to write a WLI
signature. The user decides to copy the binary into the home directory. This allows the user to set
permission bits and set WLI access restrictions.
User procedure:
1. Create an RSA key as described in Section (page 15).
2. Store the private and public key files in the home directory as joepriv1 and joepub1.
3. Copy the binary:
% cd /home/joe; cp /usr/bin/vi joe_vi
4. Adjust permissions:
% chmod ug+w joe_vi
5. Sign it:
% wlisign -a -k joepriv1 joe_vi
For a process executing joe_vi to be authenticated, the public key must be stored in the WLI
database. Storing the public key in the database requires an administrator key.
Administrator procedure:
Use the private key admin.pvt to authorize the user’s public key for signature verification:
% wlicert -i joe.key1 -k admin.pvt /home/joe/joepub1
The public key is now in the WLI database and available for verifying signatures in both signature
and policy metadata. The joe_vi command will authenticate when it is used to open files that
specify it in an IBAC policy.
Creating a FLAC policy
A user owns file /home/joe/joefile and wants to make it available to all, but protect it against
modification or deletion by all other users including superuser.
User procedure:
1. Create an RSA key as described in Section (page 15).
2. Store the private and public key files as joepriv and joepub. The user has chosen /home/
joe for key storage in the following steps.
3. Create the FLAC policy:
% wlipolicy -f -a -k /home/joe/joepriv /home/joe/joefile
Signing an executable binary 23