HP-UX Whitelisting Version A.01.02 Release Notes Abstract This document provides information about the new product HP-UX Whitelisting Version A.01.02. This document is intended for anyone who installs and uses HP-UX Whitelisting. The information in this document assumes that you have experience with administering an HP-UX operating system.
© Copyright 2010, 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents HP secure development lifecycle......................................................................4 1 About this product......................................................................................5 Features and benefits................................................................................................................5 File access policies ..............................................................................................................5 Capabilities............
HP secure development lifecycle Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides the ability to authenticate HP-UX software. Software delivered through this release has been digitally signed using HP's private key. You can now verify the authenticity of the software before installing the products, delivered through this release. To verify the software signatures in signed depot, the following products must be installed on your system: • B.11.31.
1 About this product HP-UX Whitelisting (WLI) offers file and system resource protection based on RSA encryption technology on HP Integrity servers running HP-UX 11iv3. WLI is complementary to the traditional UNIX discretionary access controls (DAC) based on user, group, and file permissions. The more granular DAC access control list (ACL) permissions available on VxFS and HFS file systems are likewise not affected.
keys. WLI grants file access only to executables that meet policy requirements, regardless of user ID. WLI provides the following policy types: • File Lock Access Control (FLAC)—Read access is allowed and write access is denied to all executables. A FLAC-protected regular file cannot be modified, deleted, or renamed within the directory where it resides.
2 What’s new in Whitelisting A.01.02 Whitelisting A.01.02 consists of the following changes: • In Whitelisting A.01.02, the restriction of creating and accessing a directory with depth more than 50 is fixed. Users can now create and access directories of depth greater than 50. • Till Whitelisting A.01.01, signature creation in the policy metadata or signature metadata was created using the SHA1 algorithm. In Whitelisting A.01.
3 Installing WLI Installation requirements Hardware requirement HP Integrity servers Operating system requirements The operating system must be HP-UX 11iv3 at level B.11.31.0909 or later. To determine the level of HP-UX 11iv3 installed on your system: % swlist | grep HPUX11i For example: % swlist | grep HPUX11i HPUX11i-DC-OE B.11.31.0909 HP-UX Data Center Operating Environment If your HP-UX 11iv3 OE version is B.11.31.1403, WLI A.01.02 is installed by default. To configure WLI A.01.
7. 8. 9. Click Download. Save the HP-UX WhiteList Infrastructure bundle as a local file on your system. Use the file name /tmp/.depot, for example. Verify the depot file is saved on your system with the following command: # swlist -d @ /tmp/.depot 10. Install the bundle: # swinstall -x autoreboot=true -s /tmp/.depot WhiteListInf 11.
4 Configuring NOTE: Contents of this chapter are not applicable if WLI A.01.00 or A.01.01 is already configured on your system and is being upgraded to WLI A.01.02. When WLI installation completes, the system reboots. The kernel rebuilt with WLI components becomes active for enabling WLI services.
% wliadm -i -k [-p ] where: is the public key file extracted from in PEM format. is an OpenSSL-generated RSA key file in PEM format. is the passphrase source and value. If the -p option is not included, A prompt appears for the passphrase at the /dev/tty device. You can execute this command only once for each installation. The specified key becomes the recovery key for WLI.
• Sign the DLKM: % wlisign -a -k /home/jane/jane.priv /usr/conf/mod/rng where: jane is a valid user ID. jane.priv is the key identifier. priv is an arbitrary string chosen by the administrator. Backing up the WLI database After all administrator keys are authorized, HP recommends backing up the WLI database while the security mode is maintenance. A backup of administrator key files is not possible after WLI is operational in restricted mode.
5 Troubleshooting and known issues Software distributor issues Signing an ELF formatted binary adds a signature metadata section to the binary file. This action has the side effect of changing the file modification time and size. If the binary happens to be delivered as part of a product, the swverify command registers errors. If error free swverify analysis on a product is important, sign and use a duplicate of the command whenever practical.
For a WLI database archive to be internally consistent, the archive must contain all files residing under /etc/wli. These files must not have any intervening updates. The database is updated through the wliadm, wlicert, wlisys, and wlisyspolicy commands. The database can be restored from archive only with WLI security mode set as maintenance. The security mode is cached within kernel space, not read from the database.
6 Support and other resources Contacting HP Before you contact HP Be sure to have the following information available before you contact HP: • Technical support registration number (if applicable) • Product serial number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level HP contact information For the name of the nearest HP authorized reseller: • See the Contact HP worldwide (in E
Related information Documents • OpenSSL A.00.09.08n.010, A.00.09.08n.011, and A.00.09.08n.012 Release Notes HP-UX 11i v1, HP-UX 11i v2,and HP-UX 11i v3: http://www.hp.com/go/hpux-security-docs Click HP-UX OpenSSL Software. • Symantec NetBackup™ Snapshots, Continuous Data Protection, and Replication: http://eval.symantec.com/mktginfo/enterprise/white_papers/ b-techbrief_nbu_snapshots_replction_cdp_WP-20719041.en-us.
Parameter The name of a parameter. Term The defined use of an important word or phrase. User input Commands and other text that you type. Variable The name of a placeholder in a command, function, or other syntax display that you replace with an actual value. [] The contents are optional in syntax. If the contents are a list separated by |, you must choose one of the items. {} The contents are required in syntax. If the contents are a list separated by |, you must choose one of the items. ...
7 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.
