Manualshelf

HP-UX Whitelisting Version A.01.02 Release Notes (766165-001,March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Whitelisting
12345678910
Table Of Contents
keys. WLI grants file access only to executables that meet policy requirements, regardless of user
ID. WLI provides the following policy types:
File Lock Access Control (FLAC)—Read access is allowed and write access is denied to all
executables. A FLAC-protected regular file cannot be modified, deleted, or renamed within
the directory where it resides. Content of a FLAC-protected directory cannot be modified and
files immediately under the directory cannot be modified, but files residing in subdirectories
are not affected.
Identity Based Access Control (IBAC)—Identity of a binary executable is imparted by signing
with private keys recognized by WLI. The signature uniquely identifies the binary as an
authorized executable. An IBAC policy permits an authorized executable to access the
IBAC-protected file. A file can have multiple IBAC policies, each permitting access to a different
authorized executable.
WLI policy enforcement precedes enforcement of DAC permissions. If WLI permits file access, DAC
permissions are still in effect.
Capabilities
WLI restricts access to certain system resources considered to be security risks. Access to these
restricted resources is controlled through WLI administrator keys. An administrator key has the
ability to allow access to a restricted resource by granting the capability pertaining to the resource.
A capability can be granted to any user or administrator key, or a WLI-signed binary executable.
When a capability is granted to a key, the key can be used to grant the capability to an arbitrary
command executing as a child process of a WLI command. The private key and its passphrase
are then required to invoke the signed executable and access the restricted resource.
When a capability is granted to a WLI-signed executable, the executable has the capability
whenever it is invoked. This permits any user to access the protected resource through the signed
executable.
For the initial WLI release, capabilities are:
mem Permits access to memory image files /dev/mem and /dev/kmem.
dlkm Permits loading a Dynamically Loadable Kernel Module (DLKM).
wmd Permits access to WLI metadata. WLI metadata stores policy and signature information.
api Permits access to libwliapi.so, the shared library providing functions for managing
WLI file access policies.
RSA key parsing
WLI uses FIPS 140-2 certified OpenSSL 1.1.2 archive libcrypto.a, based on OpenSSL
A.00.09.07m. This archive is stored at /opt/openssl/fips/0.9.7/lib/hpux64/
libcrypto.a when included with an OpenSSL version such as A.00.09.08l.003. For more
information about FIPS 140-2 (Federal Information Processing Standard 140-2), see http://
www.openssl.org/docs/fips.
Because functions from this archive are statically linked into WLI commands, the archive is not
required to be present on platforms with WLI installed. WLI uses libcrypto.a functions to parse
RSA key files generated by all OpenSSL versions.
The OpenSSL license is stored at /opt/ wli/OpenSSL.LICENSE as part of the WLI installation.
6 About this product