Manualshelf

HP-UX Whitelisting A.01.02 Administrator Guide (766164-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Whitelisting
41424344454647484950
For example, user adm uses administrator key /home/adm/adm.pvt to authorize /home/usr1/
usr.pub as a WLI user key:
% wlicert -i usr1.key1 -k /home/adm/adm.pvt /home/usr1/usr.pub
FLAC policies
A FLAC policy prevents a regular file or directory from being modified, deleted, or renamed. It
also prevents change of ownership and permission bits, modification time, and other persistent
information associated with the file. These restrictions apply to all users including root user. A file
is locked when it has a FLAC policy actively being enforced by WLI. A user must own a file to
assign it a FLAC policy.
Creating a FLAC policy
In this example, the file /tmp/passwd is locked. The administrator private key is /home/adm/
adm.pvt. The user private key file is /home/usr1/usr.pvt. The user public key file is /home/
usr1/usr.pub. To generate the FLAC policy:
% wlipolicy -f -a -k /home/usr1/usr.pvt /tmp/passwd
A prompt appears for the passphrase for /home/usr1/usr.pvt.
Enabling a FLAC policy
If /home/usr1/usr.pvt is authorized as a WLI user key, as in the example in Section (page 44),
no further action is necessary. The key can be authorized after policy generation with the identical
command:
% wlicert -i usr1.key1 -k /home/adm/adm.pvt /home/usr1/usr.pub
A prompt appears for the passphrase for /home/adm/adm.pvt.
Testing a FLAC policy
For example, the FLAC created and enabled in the previous example is tested. Verify that
system-wide policy enforcement is in effect:
% wlisyspolicy -g
The returned messages must include:
Values in effect currently:
write lock protection (FLAC): enabled
protection mode: restricted
If either or both of the above settings are not in effect, system-wide FLAC policy enforcement can
be enabled with:
% wlisyspolicy -s mode=restricted,flac=enabled -k /home/adm/adm.pvt
Any user, including root, cannot modify, rename, or delete /tmp/passwd:
% mv /tmp/passwd /tmp/x
mv: /tmp/x: rename: Permission denied
% rm /tmp/passwd
/tmp/passwd: 666 mode ? (y/n) y
rm: /tmp/passwd not removed. Permission denied
% echo hello >> /tmp/passwd
ksh: /tmp/passwd: cannot create
Any user with read permission on the file can still read its content:
% cat /tmp/passwd
hi there
FLAC policies 45