Manualshelf

HP-UX Whitelisting A.01.02 Administrator Guide (766164-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Whitelisting
41424344454647484950
Example 3 Restoring policy protected files
HP recommends using wliwrap to backup and restore policy protected files and associated
metadata. Granting permanent wmd capability to a command with wliwrap is not necessary, as
demonstrated in Example 2 (page 41).
This example demonstrates how to restore the backup archive generated in Example 2 (page 41).
As with the generation of the archive, the WLI security mode is restricted so all WLI file
access policies are enforced. Guidelines for the server do not allow security to be downgraded at
any time.
Using the administrator key adm1.pvt for authorization, tar is invoked as a child process of
wliwrap. For details about the key signing and granting wmd, see Example 2 (page 41).
You must restore the archive onto a file system with the same type of metadata storage as the
generated archive. Otherwise, WLI can not enforce the policies.
If the archive metadata storage type is unknown, execute the following to look for policy metadata
files:
% tar -vtf tartest.tar
rwxrwxrwx 0/0 0 Aug 8 02:32 2010 ./tartest/.$WLI_POLICY$/
rwxrwxrwx 0/0 2048 Aug 8 02:52 2010 ./tartest/.$WLI_POLICY$/tfile1
rw-r--r-- 0/3 2048 Aug 6 03:21 2010 ./tartest/.$WLI_POLICY$/tfile2
rw-r--r-- 0/3 2048 Aug 8 02:47 2010 ./tartest/.$WLI_POLICY$/tfile3
The archive contains metadata stored in regular files, not VxFS named streams.
To determine which policy protected files are already on the file system and the storage type,
locate the file system root directory and query the metadata storage type:
% bdf mydir
Filesystem kbytes used avail %used Mounted on
/dev/vg00/lvol4 5242880 85192 5117472 2% /tmp
% cat /tmp/'.$WLI_FSPARMS$'
wmdtype=pseudo
The file system and archive storage types match, and it is safe to proceed.
If the file system root directory does not contain a .$WLI_FSPARMS$ file, the file system cannot
contain policy protected files. If the file system has no policy protected files, the metadata storage
type is determined by the value of the wmdstoretype attribute set with wlisys, not the metadata
files restored from the archive. The user can set the correct storage type if necessary:
% wlisys -k adm1.pvt -s wmdstoretype=pseudo
The archive is now restored:
% wliwrap -k adm1.pvt -o wmd "/tar -xvf wrap.tar /tmp/tartest"
wliwrap: process capability wmd set
wliwrap: executing command: tar -xvf wrap.tar /tmp/tartest
x ./tartest/tfile1 1 blocks
x ./tartest/tfile2 1 blocks
x ./tartest/tfile3 1 blocks
x ./tartest/.$WLI_POLICY$/tfile1 4 blocks
x ./tartest/.$WLI_POLICY$/tfile2 4 blocks
x ./tartest/.$WLI_POLICY$/tfile3 4 blocks
Similar to Example 2 (page 41), metadata files under .$WLI_SIGNATURE$ directories and
.$WLI_FSPARMS$ files can also be restored with the wliwrap command. Therefore, an entire
file system can be restored with this procedure.
42 Administration examples