wli.5 (2011 03)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

wli(5) Optional WLI Product Required

wli(5)

NAME

wli - overview of HP-UX Whitelisting (WLI)

DESCRIPTION

HP-UX Whitelisting (WLI) is a security product that applies cryptographic algorithms to provide the fol-

lowing features:

• Lock protection for regular ﬁles and directories to prevent deletion, change in content, or change

in location by any user, including root user. The RSA key used in creating the lock, or a WLI

administrator RSA key, is required to remove the lock. WLI locks are imposed through genera-

tion of FLAC (File Lock Access Control) policies.

• Access restrictions on designated ﬁles and directories. Only authorized binary executables are

permitted read or write access. RSA signatures are used to verify the identity of executables and

authenticate their content. WLI access restrictions are imposed through generation of IBAC

(Identity Based Access Control) policies.

• Prevention of unauthorized access to certain system resources. A binary executable must be

signed with an authorized RSA key and granted the speciﬁc access right to use the protected

resource. The protected resources are listed below with the corresponding access rights referred

to as WLI capabilities .

WLI is designed for environments with high security requirements. The WLI kernel module and its

internal data ﬁles are protected against modiﬁcation. With WLI security enabled, even superuser (uid 0)

is not permitted to load unsigned DLKM modules or access to kernel memory by default. Strong RSA

keys are used to authenticate WLI users, verify authenticity of WLI-protected executables and verify

integrity of WLI metadata.

With WLI, system security is not entirely under the control of the root user. A WLI administrator, who

may or may not have uid 0, has exclusive authority to execute the WLI management commands. The sin-

gle exception is that root user initializes WLI and authorizes the WLI recovery key pair with wliadm(1M)

following installation. WLI administrator keys can then be authorized with the recovery private key or

another administrator private key.

FILE ACCESS POLICIES

File Access Policy is a security restriction imposed on a single regular ﬁle or directory. A ﬁle

access policy is enforced by WLI ﬁltering process threads requesting ﬁle access through ﬁle system opera-

tions.

Local ﬁle security is strengthened by assigning a ﬁle access policy. A ﬁle owner can generate policies

using wlipolicy (1). Run-time enforcement of the policies will then be accomplished by WLI kernel com-

ponents.

File access policies provide a higher degree of control over ﬁle access than can be achieved with discre-

tionary access control (DAC) implemented through ﬁle mode bits, owner UID and group GID. WLI ﬁle

access policies complement, rather than replace, DAC permissions. With WLI security enabled, even

superuser (UID 0) access to ﬁles can be restricted.

The initial WLI release provides two types of ﬁle access policies:

•

file lock access control (FLAC) - When a FLAC policy is assigned to a regular ﬁle or

directory, it cannot be modiﬁed, deleted or moved to a different location. The FLAC policy can

only be removed by the ﬁle owner or a WLI administrator. The ability for ﬁle owners to assign

FLAC policies is controlled by a WLI administrator, see wlicert (1M) for details.

•

identity based access control (IBAC) - When an IBAC policy is assigned to a regu-

lar ﬁle or directory, it can only be opened through a set of authenticated applications identiﬁed

by a WLI application ID (appid) or the optional product ID (prodid). The appid of an executable

is the cryptographic ﬁngerprint derived from the contents of an executable.

A prodid is an alphanumeric string that represents one or more executables, and is chosen by the

signer. The ability for ﬁle owners to assign IBAC policies is also controlled with wlicert (1M).

The appid and prodid with other WLI metadata information is signed and stored within the

executable’s elf header.

FLAC and IBAC policies are mutually exclusive. For any regular ﬁle or directory, one FLAC or multiple

IBAC policies may be assigned. Since DAC permissions are not bypassed, the user must have write per-

mission through the mode bits and the process effective user ID must match the ﬁle owner ID.

HP-UX 11iv3: Sep 2010 Web Release − 1 − Hewlett-Packard Company 1

Summary of content (4 pages)

PAGE 1
wli(5) Optional WLI Product Required wli(5) NAME wli - overview of HP-UX Whitelisting (WLI) DESCRIPTION HP-UX Whitelisting (WLI) is a security product that applies cryptographic algorithms to provide the following features: • Lock protection for regular files and directories to prevent deletion, change in content, or change in location by any user, including root user. The RSA key used in creating the lock, or a WLI administrator RSA key, is required to remove the lock.
PAGE 2
wli(5) Optional WLI Product Required wli(5) Enforcement of all IBAC and FLAC policies can be enabled and disabled only with an authorized administrator key and wlisyspolicy (1M). Disabling policy enforcement will require a system reboot if the security downgrade policy is set to deferred. CAPABILITIES WLI can restrict certain operations to a set of users and executables through the granting of capabilities. A WLI administrator may grant a user one or more capabilities with wlicert (1M).
PAGE 3
wli(5) wli(5) Optional WLI Product Required wliadm (1M). WLI verification of executables is a two step process. First, the integrity of the signature metadata stored within the executable is verified, including the public key fingerprint. The public key must be authorized if it is not specified with the -c option. Second, the public key is used to verify content of the entire executable. Following the RSA standard, critical binary sections are cryptographically hashed to obtain a digest.
PAGE 4
wli(5) Optional WLI Product Required wli(5) wliadm (1M) Manage WLI administrator keys. wlicert (1M) Manage WLI public keys. wlisys (1M) Manage WLI configuration attributes. wlisyspolicy (1M) Manage WLI system-wide security policies. wlitrace (1M) Control tracing of WLI kernel modules for problem determination. This command requires superuser privilege. libwliapi (3) A shared library containing functions for managing WLI policies. wlicert.conf (4) WLI capabilities configuration file. wlisys.