HP-UX Whitelisting Version A.01.02 Release Notes (766165-001,March 2014)

• Sign the DLKM:

% wlisign -a -k /home/jane/jane.priv /usr/conf/mod/rng

where:

jane is a valid user ID.

jane.priv is the key identifier.

priv is an arbitrary string chosen by the administrator.

Backing up the WLI database

After all administrator keys are authorized, HP recommends backing up the WLI database while

the security mode is maintenance. A backup of administrator key files is not possible after

WLI is operational in restricted mode. To backup the WLI database in maintenance mode:

% tar -cf wli.tar /etc/wli

For this example, tar is used. Proprietary backup utilities or cpio also work.

No procedure changes are required for restoring a database backup in maintenance mode.

In restricted mode, a database backup cannot be restored because of read/write protection

on administrator key storage.

Rebooting to restricted mode

WLI installs and configures when security mode is set to maintenance. This mode disables

all WLI file and resource protection, allowing the installer to complete all the previous steps.

After all administrator keys are authorized and a WLI database backup is generated, the system

can be rebooted for WLI to operate in restricted mode:

% wlisyspolicy -s mode=restricted -k <wli_admin_key>

The following must be executed by root user:

# shutdown -r

Following reboot, WLI is completely operational in the secure restricted mode.

12 Configuring