wlisyspolicy.1m (2011 03)
wlisyspolicy(1M)
Optional WLI Product Required
wlisyspolicy(1M)
NAME
wlisyspolicy - manage the WLI system policy configuration
SYNOPSIS
wlisyspolicy -h
wlisyspolicy -g
wlisyspolicy -k privkey [-p src:
val] -s {attr1 =val1 ,attr2 =val2...}
DESCRIPTION
wlisyspolicy manages system policy attributes that affect enforcement of WLI file access policies and
capabilities. There are four global policy attributes:
FLAC, IBAC, mode
, and downgrade.
The
flac (file lock access control) attribute controls enforcement of FLAC policies. With
flac=enabled and mode=restricted
, WLI will not allow any regular file or directory with a WLI
file lock to be modified, deleted, or moved to a different location. If
flac=disabled
, there is no
enforcement of individual WLI file locks regardless of the mode value.
The
ibac (identity based access control
) attribute controls enforcement of IBAC policies. If
ibac=enabled and mode=restricted
, an IBAC policy on a regular file or directory will limit access
to the executable binary identified by a WLI signature. One file can have multiple IBAC policies. Only
the executable binary identified by an IBAC policy will be able to obtain read or write access. If
ibac=disabled, IBAC lists are not checked to determine access to the associated files regardless of the
mode value.
The
mode attribute controls how WLI FLAC and IBAC access violations are handled. The permitted
values for this attribute, in order of increasing security, are:
•
maintenance - Access violations are not reported or enforced, even with IBAC and FLAC policies
enabled. Resources protected by capabilities are not restricted by WLI. For example, tar (1) can be
used to backup the WLI database files /etc/wli/keys/*
, which are not readable if mode is res-
tricted.
•
restricted - Access violations are reported and enforced. A violation will result in failure of the
open() on the target file.
The
downgrade attribute controls how WLI policy attributes are updated. A change in an attribute
value results in a security upgrade or downgrade. If IBAC or FLAC policies change from enabled to dis-
abled, it is a security downgrade. The security ordering of mode values are listed above. The permitted
values for downgrade are:
•
immediate - Attribute value changes are in effect immediately, regardless of whether the outcome
results in a security upgrade or downgrade. The exception is the mode attribute, which requires
reboot for a value change to take effect.
•
deferred - Any attribute change that leads to a security downgrade is not in effect until the system
is rebooted. Attribute changes that result in a security upgrade are immediate. For example, chang-
ing downgrade from deferred to immediate is a security downgrade; the value of downgrade
will remain as deferred until the system is rebooted. The exception is the mode attribute, which
requires reboot for any value change to take effect.
The
wlisyspolicy command is installed with the optional HP-UX Whitelisting (WLI) product.
Options
-g Prints out all current and deferred attribute values. Deferred values will be in
effect following the next system reboot.
-h Displays wlisyspolicy command syntax
-k privkey Specifies the file containing a WLI administrator private key. privkey is required
with the -s option.
-p src:val Specifies the passphrase source for privkey. For more information on passphrase
syntax, see wli (5).
-s attributes Specifies a list of attributes and the values to which they will be set. The list is in
the form of attribute =value arguments separated by commas. The valid arguments
are:
HP-UX 11iv3: Sep 2010 Web Release − 1 − Hewlett-Packard Company 1