HP-UX Whitelisting A.01.02 Administrator Guide (766164-001, March 2014)
“Values in effect currently:”
write lock protection (IBAC): enabled
protection mode: restricted
If either of the above settings are not in effect, IBAC policy enforcement can be enabled with:
% wlisyspolicy -s mode=restricted,ibac=enabled -k /home/adm/adm.pvt
Access to all other executables is denied:
% /usr/bin/more /tmp/secret
/tmp/secret: Permission denied
% /usr/bin/head /tmp/secret
/tmp/secret: Permission denied
Any user with read permission on /tmp/secret can read it:
% cat /tmp/secret
hi there
Disabling an IBAC policy
After reboot of the system, the final task for WLI configuration, WLI is in the highest security state.
To disable IBAC policy enforcement:
1. The administrator removes system-wide enforcement:
% wlisyspolicy -s ibac=disabled -k /home/adm/adm.pvt
or
% wlisyspolicy -s mode=maintenance -k /home/adm/adm.pvt
The wlisyspolicy command returns a message indicating a reboot is necessary for the
security downgrade to be in effect if the downgrade attribute has value deferred.
2. The administrator removes key /home/usr1/usr.pub authorization:
% wlicert -d usr1.key1 -k /home/adm/adm.pvt
Removing an IBAC policy
To remove an IBAC policy as user:
% wlipolicy -i -d -k /home/usr1/usr.pvt /tmp/secret
To remove an IBAC policy as administrator:
% wlipolicy -i -d -k /home/adm/adm.pvt /tmp/secret
IBAC policies 47