| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris 11 Security Guidelines Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris 11 Security Guidelines Oracle Solaris 11.1 Information Library |
1. Overview of Oracle Solaris Security
2. Configuring Oracle Solaris Security
Installing the Oracle Solaris OS
How to Disable Unneeded Services
How to Remove Power Management Capability From Users
How to Place a Security Message in Banner Files
How to Place a Security Message on the Desktop Login Screen
How to Set Stronger Password Constraints
How to Set Account Locking for Regular Users
How to Set More Restrictive umask Value for Regular Users
How to Audit Significant Events in Addition to Login/Logout
How to Display a Security Message to ssh Users
Protecting File Systems and Files
How to Limit the Size of the tmpfs File System
Protecting and Modifying Files
Securing Applications and Services
Creating Zones to Contain Critical Applications
Adding SMF to a Legacy Service
Creating a BART Snapshot of the System
Adding Multilevel (Labeled) Security
Configuring Trusted Extensions
At this point, only the initial user who can assume the root role has access to the system. The following tasks are best performed in order before regular users can log in.
|
Use this procedure if the defaults do not satisfy your site security requirements. The steps follow the list of entries in the /etc/default/passwd file.
Before You Begin
Before changing the defaults, ensure that the changes allow all users to authenticate to their applications and to other systems on the network.
You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
## /etc/default/passwd ## MAXWEEKS= MINWEEKS= MAXWEEKS=4 MINWEEKS=3
#PASSLENGTH=6 PASSLENGTH=8
#HISTORY=0 HISTORY=10
#MINDIFF=3 MINDIFF=4
#MINUPPER=0 MINUPPER=1
#MINDIGIT=0 MINDIGIT=1
See Also
For the list of variables that constrain password creation, see the /etc/default/passwd file. The defaults are indicated in the file.
For the password constraints in effect after installation, see System Access Is Limited and Monitored.
passwd(1) man page
Use this procedure to lock regular user accounts after a certain number of failed login attempts.
Note - Do not set account locking for users who can assume roles because you can lock out the role.
Before You Begin
Do not set this protection system-wide on a system that you use for administrative activities.
You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
# pfedit /etc/security/policy.conf ... #LOCK_AFTER_RETRIES=NO LOCK_AFTER_RETRIES=YES ...
# usermod -K lock_after_retries=yes username
# pfedit /etc/default/login ... #RETRIES=5 RETRIES=3 ...
See Also
For a discussion of user and role security attributes, see Chapter 10, Security Attributes in Oracle Solaris (Reference), in Oracle Solaris 11.1 Administration: Security Services.
Selected man pages include policy.conf(4) and user_attr(4).
If the default umask value, 022, is not restrictive enough, set a more restrictive mask by using this procedure.
Before You Begin
You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
Oracle Solaris provides directories for administrators to customize user shell defaults. These skeleton directories include files such as .profile, .bashrc and .kshrc.
Choose one of the following values:
umask 026 – Provides moderate file protection
(741) – r for group, x for others
umask 027 – Provides strict file protection
(740) – r for group, no access for others
umask 077 – Provides complete file protection
(700) – No access for group or others
See Also
For more information, see the following:
Default umask Value in Oracle Solaris 11.1 Administration: Security Services
Selected man pages include usermod(1M) and umask(1).
Use this procedure to audit administrative commands, attempts to invade the system, and other significant events as specified by your site security policy.
Note - The examples in this procedure might not be sufficient to satisfy your security policy.
Before You Begin
You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
For all users and roles, add the AUE_PFEXEC audit event to their preselection mask.
# usermod -K audit_flags=lo,ps:no username
# rolemod -K audit_flags=lo,ps:no rolename
# auditconfig -setpolicy +argv
# auditconfig -setpolicy +arge
See Also
For information about audit policy, see Audit Policy in Oracle Solaris 11.1 Administration: Security Services.
For examples of setting audit flags, see Configuring the Audit Service (Tasks) in Oracle Solaris 11.1 Administration: Security Services and Troubleshooting the Audit Service (Tasks) in Oracle Solaris 11.1 Administration: Security Services.
To configure auditing, see the auditconfig(1M) man page.
Use this procedure to activate the audit_syslog plugin for events that you want to monitor as they happen.
Before You Begin
You must assume the root role to modify the syslog.conf file. Other steps require you to be assigned the Audit Configuration rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
# auditconfig -setplugin audit_syslog active p_flags=lo
# svcs system-log STATE STIME FMRI disabled 13:11:55 svc:/system/system-log:rsyslog online 13:13:27 svc:/system/system-log:default
Tip - If the rsyslog service instance is online, modify the rsyslog.conf file.
The default entry includes the location of the log file.
# cat /etc/syslog.conf … audit.notice /var/adm/auditlog
# touch /var/adm/auditlog
# svcadm refresh system-log:default
Note - Refresh the system-log:rsyslog service instance if the rsyslog service is online.
The audit service reads the changes to the audit plugin upon refresh.
# audit -s
See Also
To send the audit summaries to another system, see the example following How to Configure syslog Audit Logs in Oracle Solaris 11.1 Administration: Security Services.
The audit service can generate extensive output. To manage the logs, see the logadm(1M) man page.
To monitor the output, see Monitoring audit_syslog Audit Summaries.
Under particular circumstances, one or more of three basic privileges can be removed from a regular user's basic set.
file_link_any – Allows a process to create hard links to files owned by a UID different from the effective UID of the process.
proc_info – Allows a process to examine the status of processes other than those it can send signals to. Processes that cannot be examined cannot be seen in /proc and appear not to exist.
proc_session – Allows a process to send signals or trace processes outside its session.
Before You Begin
You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
# usermod -K 'defaultpriv=basic,!file_link_any' user
# usermod -K 'defaultpriv=basic,!proc_info' user
# usermod -K 'defaultpriv=basic,!proc_session' user
# usermod -K 'defaultpriv=basic,!file_link_any,!proc_info,!proc_session' user
See Also
For more information, see Chapter 8, Using Roles and Privileges (Overview), in Oracle Solaris 11.1 Administration: Security Services and the privileges(5) man page.
|