| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
Configuring Device Policy (Tasks)
Configuring Device Policy (Task Map)
Managing Device Allocation (Tasks)
Managing Device Allocation (Task Map)
How to Enable Device Allocation
How to Authorize Users to Allocate a Device
How to View Allocation Information About a Device
How to Forcibly Allocate a Device
How to Forcibly Deallocate a Device
How to Change Which Devices Can Be Allocated
How to Audit Device Allocation
How to Mount an Allocated Device
Components of Device Allocation
Device Allocation Rights Profiles
6. Verifying File Integrity by Using BART (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Security Attributes in Oracle Solaris (Reference)
Part IV Cryptographic Services
11. Cryptographic Framework (Overview)
12. Cryptographic Framework (Tasks)
Part V Authentication Services and Secure Communication
14. Using Pluggable Authentication Modules
17. Using Simple Authentication and Security Layer
18. Network Services Authentication (Tasks)
19. Introduction to the Kerberos Service
20. Planning for the Kerberos Service
21. Configuring the Kerberos Service (Tasks)
22. Kerberos Error Messages and Troubleshooting
23. Administering Kerberos Principals and Policies (Tasks)
24. Using Kerberos Applications (Tasks)
25. The Kerberos Service (Reference)
Device policy restricts or prevents access to devices that are integral to the system. The policy is enforced in the kernel.
The following task map points to device configuration procedures that are related to device policy.
|
% getdevpolicy | more DEFAULT read_priv_set=none write_priv_set=none ip:* read_priv_set=net_rawaccess write_priv_set=net_rawaccess …
Example 5-1 Viewing the Device Policy for a Specific Device
In this example, the device policy for three devices is displayed.
% getdevpolicy /dev/allkmem /dev/ipsecesp /dev/bge /dev/allkmem read_priv_set=all write_priv_set=all /dev/ipsecesp read_priv_set=sys_net_config write_priv_set=sys_net_config /dev/bge read_priv_set=net_rawaccess write_priv_set=net_rawaccess
By default, the as audit class includes the AUE_MODDEVPLCY audit event.
Before You Begin
You must become an administrator who is assigned the Audit Configuration rights profile. For more information, see How to Use Your Assigned Administrative Rights.
# auditconfig -getflags current-flags # auditconfig -setflags current-flags,as
For detailed instructions, see How to Preselect Audit Classes.
Applications that retrieve Oracle Solaris IP MIB-II information should open /dev/arp, not /dev/ip.
% getdevpolicy /dev/ip /dev/arp /dev/ip read_priv_set=net_rawaccess write_priv_set=net_rawaccess /dev/arp read_priv_set=none write_priv_set=none
Note that the net_rawaccess privilege is required for reading and writing to /dev/ip. No privileges are required for /dev/arp.
No privileges are required. This method is equivalent to opening /dev/ip and pushing the arp, tcp and udp modules. Because opening /dev/ip now requires a privilege, the /dev/arp method is preferred.
|