HP-UX Whitelisting A.01.
© Copyright 2010 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents 1 Security features..............................................................................................................9 1.1 File access policies.............................................................................................................................9 1.1.1 File lock access controls.............................................................................................................9 1.1.2 Identity-based access controls..................................
6.5 Enabling DLKMs to load during boot.............................................................................................30 6.6 Loading unsigned DLKMs..............................................................................................................31 7 Backup and restore considerations............................................................................33 7.1 Overview................................................................................................................
C.3.1 Creating a FLAC policy..........................................................................................................54 C.3.2 Enabling a FLAC policy..........................................................................................................54 C.3.3 Testing a FLAC policy............................................................................................................54 C.3.4 Disabling a FLAC policy.......................................................................
List of Figures 2-1 6 WLI architecture............................................................................................................................
List of Examples B-1 B-2 B-3 B-4 Execute manual WLI configuration..............................................................................................49 Backing up policy protected files..................................................................................................49 Restoring policy protected files.....................................................................................................50 Backup and restore without wliwrap.............................................
1 Security features HP-UX Whitelisting (WLI) provides security features complementary to discretionary access controls, sometimes referred to as DAC restrictions. DAC restrictions are based on defined users and groups, and the ownership and permission bits associated with every type of file. DAC restrictions are generated through user commands and enforced within the kernel domain on the processes comprising every application. WLI is a cryptographic key-based product.
A FLAC policy prevents modification of file status information such as modification time, permission bits, owner ID, and group ID stored within the file inode. 1.1.2 Identity-based access controls Abbreviated as IBAC, this policy type denies access to a designated file or directory for all executables except those specifically authorized. File or directory access is normally granted to an executing binary if all access restrictions are met.
This capability is intended to alleviate a security issue associated with dynamic loading. The user must have root authority to dynamically load, and a WLI administrator key must grant dlkm capability directly or through another authorized key. 1.2.4 api WLI permits an application to execute functions contained within the shared object library /opt/ wli/lib/libwliapi.so by granting api capability.
2 Product overview WLI is a security enhancement product that relies on RSA keys and cryptographic algorithms to restrict access to regular files, directories, and certain protected resources. WLI is complementary to the traditional access restrictions imposed by file ownership and permission bits. An executable permitted by WLI to access a file does not bypass permission bit checks, ACLs, or other security mechanisms. For more detail on WLI commands and files, see the manpages installed with WLI.
Figure 2-1 WLI architecture 2.1.1 Commands WLI commands are described in detail through the HP-UX manpage facility on installed platforms, and are not reproduced here.
The ability to execute functions within this library is a resource protected by WLI. As with other resources protected by WLI, access must explicitly be granted through WLI using authorized RSA keys. 2.1.1.2 Applications Enforcement of WLI file access policies and resource restrictions is imposed on all applications and commands. Application binaries and files have no requirements for modification or relinking. A user may restrict application access to local files and directories through WLI commands.
2.1.1.5 File systems WLI security features are imposed on all directories and regular files that reside in file systems called through the VFS layer. WLI generates metadata to keep track of its file access policies. Policy metadata might become scattered in files throughout a file system. VxFS (aka JFS) at revision 5.0.1 or later is an exception because metadata can be stored within a named stream. A named stream is associated with a file inode, but is not accessible through the usual open() on the file.
2.3.1 .$WLI_FSPARMS$ These metadata files are regular files containing metadata storage types for the file system where they reside. This file always appears in the root directory of a file system that also contains WLI metadata. The metadata storage type is indicated by the wmdstoretype parameter. For details, see wlisys(1M). The following storage types are available: auto If the file system is VxFS at revision 5.0.1 or later, metadata is stored in a named stream.
3 Key usage WLI defines two key types. User keys can sign executable binaries and generate file access policies. Administrator keys have all the authority of user keys, but also can be used to authorize changes to the WLI database. WLI depends on RSA keys for authorization of many of its command operations. A WLI command with the “1M” manpage designation means an administrator key is required to execute at least one command option, not the traditional root user (user ID 0).
As in the previous example, a prompt appears for the private key passphrase because it is not included. RSA public keys are generally not considered secret quantities and are not encrypted. Not protecting public keys does not cause a security breach. WLI follows this convention. 3.2 User keys A user key can have no authorization for WLI operations and still suffice for creating WLI file access policies and signing executable binaries.
4 Installing, removing, and upgrading To install, remove, or upgrade WLI, HP recommends the following procedures. 4.1 Installation requirements Hardware requirement HP Integrity servers Operating system requirements The operating system must be HP-UX 11iv3 at level B.11.31.0909 or later. To determine the level of HP-UX 11iv3 installed on your system: % swlist | grep HPUX11i For example: % swlist | grep HPUX11i HPUX11i-DC-OE B.11.31.
7. 8. 9. Click Download. Save the HP-UX WhiteList Infrastructure bundle as a local file on your system. Use the file name /tmp/.depot, for example. Verify the depot file is saved on your system with the following command: # swlist -d @ /tmp/.depot 10. Install the bundle: # swinstall -x autoreboot=true -s /tmp/.depot WhiteListInf 11.
4. 5. Log in to the target system as the root user. Remove WLI: % swremove -x autoreboot=true WhteListInf The machine automatically reboots after rebuilding the kernel without the WLI module. 6. Manual cleanup: WLI does not keep track of metadata files generated by WLI commands. These metadata files are listed in Section 2.3 (page 16). 4.4 Upgrading WLI WLI upgrades will become available through revisions of WLI.
5 Configuring When WLI installation completes, the system reboots. The kernel rebuilt with WLI components becomes active, enabling WLI services. By default, SD-UX configuration scripts execute following the reboot. SD-UX configuration can optionally be postponed by the installer. Whether SD-UX configuration completes during or following system initialization, a few manual steps are necessary to bring WLI to a completely operational state.
is the key identifier; instance is a string chosen by an administrator. is the recovery key or previously authorized administrator key. is the passphrase source and value. If the -p option is not included, a prompt appears for the passphrase at the /dev/tty device. is the public key being authorized for WLI administrator authority. Changing administrator key passphrases does not impact WLI database files.
5.5 Rebooting to restricted mode WLI installs and configures when security mode is set to maintenance. This mode disables all WLI file and resource protection, allowing the installer to complete all the previous steps.
6 Enhancing security with WLI This section describes basic operations that are intended to help the reader gain familiarity with WLI. This section assumes: • WLI is successfully initialized. • At least one administrator key is created. • The WLI security mode is restricted. • Both ibac and flac security attributes are enabled. For details on setting WLI security attributes, see wlisyspolicy(1M). 6.
The policy metadata is created and resides in a protected file or named stream, depending on the current value of the metadata storage attribute and possibly the file system type. The administrator owns key admin.pvt. The administrator must authorize the user key for policy enforcement: % wlicert -i joe.key -k ./admin.pvt /home/joe/joepub The administrator chose identifier joe.key to represent the user's key in the WLI database. Now /home/joe/joefile is protected against deletion and alteration.
during boot. To enable boot-time loading of a DLKM, it must be signed by an authorized key. The administrator owns WLI administrator key adminpriv. Like all administrator keys, adminpriv is authorized for signature verification automatically when it is granted WLI administrator authority. Following WLI installation the system reboots and WLI is initially in maintenance mode. Verify the DLKM to be signed is unloaded: IMPORTANT: This procedure must be performed as root user.
7 Backup and restore considerations 7.1 Overview This section describes how WLI-protected files are read from and written back to their original locations when the WLI security mode is restricted. Maintenance mode is necessary for some files to backup and restore. Because backup and restore procedures vary considerably across HP-UX installations, no specific commands or procedures are recommended.
7.2.1 Write protected WLI does not inhibit reading of write protected files. Files in this class can be read and backed up in accordance with the file ownership and permission bits. Files in this class are: /etc/wli/certificates/* /etc/wli.wlicert.conf /etc/wli/wlisys.conf /etc/wli/wlisyspolicy.conf For backup procedures, these files can be treated the same as other directories and regular files. Restoration of backup archives for these files is only recommended if the WLI database is corrupted.
7.3.1 FLAC policies A file with a FLAC policy can be read but cannot be overwritten unless wmd capability is granted to the executing process. FLAC protection is not enforced with wmd capability. This enables the file and its policy metadata to be restored from an archive over an existing copy of the FLAC-protected file. 7.3.2 IBAC policies Without wmd capability, a file with an IBAC policy can be read or written only if an IBAC policy identifies the read or write command as an authorized executable.
8 HP Serviceguard considerations 8.1 Overview HP Serviceguard provides clustering services at the application level for HA. If a critical component failure occurs on the designated primary node of a product, HP Serviceguard activates the product on an alternate node through failover package scripting. The failed-over product requires the same resources on the alternate nodes as were available on the primary node before the critical failure.
WLI installation and configuration on the cluster is now complete. Following reboot of all nodes, WLI is operational in restricted mode. To maintain the WLI database consistently and ensure product failovers will be successful, HP recommends the following procedure: 1. 2. 3. 4. 5. Execute WLI administrative commands wliadm, wlicert, wlisys, and wlisyspolicy identically on all nodes. This ensures the WLI database that includes all authorized user keys, granted capabilities and associations is uniform.
9 Troubleshooting and known issues 9.1 Software distributor issues Signing an ELF formatted binary adds a signature metadata section to the binary file. This action has the side effect of changing the file modification time and size. If the binary happens to be delivered as part of a product, the swverify command registers errors. If error free swverify analysis on a product is important, sign and use a duplicate of the command whenever practical.
For a WLI database archive to be internally consistent, the archive must contain all files residing under /etc/wli. These files must not have any intervening updates. The database is updated through the wliadm, wlicert, wlisys, and wlisyspolicy commands. The database can be restored from archive only with WLI security mode set as maintenance. The security mode is cached within kernel space, not read from the database.
10 Support and other resources 10.1 Contacting HP 10.1.1 Before you contact HP Be sure to have the following information available before you contact HP: • Technical support registration number (if applicable) • Product serial number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level 10.1.
• Symantec NetBackup™ Snapshots, Continuous Data Protection, and Replication: http://eval.symantec.com/mktginfo/enterprise/white_papers/ b-techbrief_nbu_snapshots_replction_cdp_WP-20719041.en-us.pdf • For a high level description of HP-UX file systems, see HP-UX System Administrator's Guide: Overview HP-UX 11i Version 3: http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c02281492/c02281492.pdf Websites • HP-UX Whitelisting documentation website: http://www.hp.
... The preceding element can be repeated an arbitrary number of times. Indicates the continuation of a code example. | Separates items in a list of choices. WARNING A warning calls attention to important information that if not understood or followed will result in personal injury or nonrecoverable system problems. CAUTION A caution calls attention to important information that if not understood or followed will result in data loss, data corruption, or damage to hardware or software.
A libwliapi example This example demonstrates how libwliapi functions add and delete WLI file access policies. A.1 Instructions This example requires an authorized WLI administrator key. WLI administrator's private key Passphrase for 1. Copy the makefile and source files below to a test directory. 2. % su root 3. The makefile builds executables, adds user wliusr1, and generates ukey.pvt # make all 4. # wlicert -i wliusr1.inst1 -k -p pass: ukey.
openssl rsa -passin pass:mypasswd -out ukey.pub -in ukey.pvt -pubout user_setup: api_flac_test api_ibac_test ukey.pvt ukey.pub if ! grep -q wliusr1 /etc/passwd; then \ useradd wliusr1; \ chown wliusr1 flac_test; chmod a+w flac_test; \ chown wliusr1 ibac_test; chmod a+w ibac_test; \ chown wliusr1 api_flac_test; chmod u+w flac_test; \ chown wliusr1 api_ibac_test; chmod u+w ibac_test; \ chown wliusr1 ukey.pvt; chmod go-w ukey.pvt; \ chown wliusr1 ukey.pub; chmod go-w ukey.pub; \ clean: rm -f *.
* wliapitest.c */ #include #include #include #include
B Administration examples Example B-1 Execute manual WLI configuration The recovery key is authorized by root user: # wliadm -i recov.pub -k recov.pvt RSA key adm1.pvt is generated per HP recommendations and its public key extracted: # openssl genrsa -aes256 -out adm1.pvt 2048 # openssl rsa -in adm1.pvt -out adm1.pub -pubout RSA key adm1.pvt is granted WLI administrator authority by the recovery key: # wliadm -n adm1.key1 -k recov.pvt adm1.pub The public key extracted from adm1.pvt is adm1.pub.
To meet file permission bits requirements (DAC restrictions), the user must have root authority to modify tar with wlisign. The command is signed with the administrator key: % su root # wlisign -a -k adm1.pvt /usr/bin/tar The wmd capability is not granted to /usr/bin/tar. Only the key authorizing execution of wliwrap must be granted wmd capability. File permission bits restrictions (DAC permissions) on /usr/bin/tar must be met for wlisign, therefore the signing was executed by root user.
Using the administrator key adm1.pvt for authorization, tar is invoked as a child process of wliwrap. For details about the key signing and granting wmd, see Example B-2 (page 49). You must restore the archive onto a file system with the same type of metadata storage as the generated archive. Otherwise, WLI can not enforce the policies. If the archive metadata storage type is unknown, execute the following to look for policy metadata files: % tar -vtf tartest.
To grant wmd to the commands, the adm1.pvt key must be a WLI administrator key. This key was granted administrator privilege in Example B-1 (page 49). The bpbackup and bprestore commands are now able to backup and restore metadata in named data streams as well as in regular files. These commands have wmd capability that grants read/write access to all metadata, whether stored in named streams or in regular files under .$WLI_POLICY$ directories.
C Quick setup examples This guide offers quick setup examples for installing WLI and creating file access policies. C.1 Installing WLI 1. Go to the HP Software Depot: http://www.hp.com/go/softwaredepot 2. 3. 4. 5. 6. 7. Click Security and manageability. Scroll down and select HP-UX Whitelisting. Click Installation at the bottom of the page. Review the software requirements. Click Receive for Free >> at the bottom of the page. Sign in as a registered user.
Public key being authorized For example, user adm uses administrator key /home/adm/adm.pvt to authorize /home/usr1/ usr.pub as a WLI user key: % wlicert -i usr1.key1 -k /home/adm/adm.pvt /home/usr1/usr.pub C.3 FLAC policies A FLAC policy prevents a regular file or directory from being modified, deleted, or renamed. It also prevents change of ownership and permission bits, modification time, and other persistent information associated with the file.
C.3.4 Disabling a FLAC policy After reboot of the system, the final task for WLI configuration, WLI is in the highest security state. To disable FLAC policy enforcement: 1. The administrator removes system-wide enforcement: % wlisyspolicy -s flac=disabled -k /home/adm/adm.pvt or % wlisyspolicy -s mode=maintenance -k /home/adm/adm.pvt The wlisyspolicy command returns a message indicating a reboot is necessary for the security downgrade to be in effect if the downgrade attribute has value deferred. 2.
“Values in effect currently:” write lock protection (IBAC): protection mode: enabled restricted If either of the above settings are not in effect, IBAC policy enforcement can be enabled with: % wlisyspolicy -s mode=restricted,ibac=enabled -k /home/adm/adm.pvt Access to all other executables is denied: % /usr/bin/more /tmp/secret /tmp/secret: Permission denied % /usr/bin/head /tmp/secret /tmp/secret: Permission denied Any user with read permission on /tmp/secret can read it: % cat /tmp/secret hi there C.
Glossary ASM Oracle Automatic Storage Management authorized executable A signed binary executable specified in an IBAC policy. The executable is permitted access to the protected file also specified in the IBAC. CFS Veritas Cluster File System DAC Discretionary Based Access Controls. A traditional file access control used on Unix-based operating systems. DLKM Dynamically Loadable Kernel Module FAP File Access Policy. WLI metadata that restricts access to a regular file or directory.
Index Symbols FLAC policy, 29 .$WLI_FSPARMS$, 17 .$WLI_POLICY$, 17 .
S security enhancement, 29 security features, 9 serviceguard, 37 administration, 37 overview, 37 wli database, 37 signing executable binary, 29 software distributor issues, 39 stackable file system module, 15 support, 41 T troubleshooting, 39 typographic conventions, 42 U upgrading, 21, 23 user keys, 20 W wmd, 10 60 Index
