1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Controlling Access to Devices (Tasks)
Configuring Devices (Task Map)
Configuring Device Policy (Task Map)
How to Change the Device Policy on an Existing Device
How to Audit Changes in Device Policy
How to Retrieve IP MIB-II Information From a /dev/* Device
Managing Device Allocation (Task Map)
How to Make a Device Allocatable
How to Authorize Users to Allocate a Device
How to View Allocation Information About a Device
Forcibly Deallocating a Device
How to Mount an Allocated Device
Components of Device Allocation
5. Using the Basic Audit Reporting Tool (Tasks)
6. Controlling Access to Files (Tasks)
7. Using the Automated Security Enhancement Tool (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Oracle Solaris Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Solaris Secure Shell (Tasks)
20. Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Solaris Auditing (Tasks)
Device allocation restricts or prevents access to peripheral devices. Restrictions are enforced at user allocation time. By default, users must have authorization to access allocatable devices.
If you have already run the bsmconv command to enable auditing, then device allocation is already enabled on your system. For more information, see the bsmconv(1M) man page.
The Primary Administrator role includes the Audit Control rights profile. You can also assign the Audit Control rights profile to a role that you create. To create the role and assign the role to a user, see Example 9-3.
# bsmconv This script is used to enable the Basic Security Module (BSM). Shall we continue with the conversion now? [y/n] y bsmconv: INFO: checking startup file. bsmconv: INFO: move aside /etc/rc3.d/S81volmgt. bsmconv: INFO: turning on audit module. bsmconv: INFO: initializing device allocation files. The Basic Security Module is ready. If there were any errors, please fix them now. Configure BSM by editing files located in /etc/security. Reboot this system now to come up with BSM enabled.
Note - The Volume Management daemon (/etc/rc3.d/S81volmgt) is disabled by this command.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Typically, you would create a rights profile that includes the solaris.device.allocate authorization. Follow the instructions in How to Create or Change a Rights Profile. Give the rights profile appropriate properties, such as the following:
Rights profile name: Device Allocation
Granted authorizations: solaris.device.allocate
Commands with security attributes: mount with the sys_mount privilege, and umount with the sys_mount privilege
Follow the instructions in How to Create and Assign a Role by Using the GUI. Use the following role properties as a guide:
Role name: devicealloc
Role full name: Device Allocator
Role description: Allocates and mounts allocated devices
Rights profile: Device Allocation
This rights profile must be at the top of the list of profiles that are included in the role.
For examples of allocating removable media, see How to Allocate a Device.
Because the Volume Management daemon (vold) is not running, removable media are not automatically mounted. For examples of mounting a device that has been allocated, see How to Mount an Allocated Device.
Device allocation must be enabled for this procedure to succeed. To enable device allocation, see How to Make a Device Allocatable.
The Primary Administrator role includes the Device Security rights profile. You can also assign the Device Security rights profile to a role that you create. To create the role and assign the role to a user, see Example 9-3.
# list_devices device-name
where device-name is one of the following:
audio[n] – Is a microphone and speaker.
fd[n] – Is a diskette drive.
sr[n] – Is a CD-ROM drive.
st[n] – Is a tape drive.
If the list_devices command returns an error message similar to the following, then either device allocation is not enabled, or you do not have sufficient permissions to retrieve the information.
list_devices: No device maps file entry for specified device.
For the command to succeed, enable device allocation and assume a role with the solaris.device.revoke authorization.
Forcible allocation is used when someone has forgotten to deallocate a device. Forcible allocation can also be used when a user has an immediate need for a device.
The user or role must have the solaris.device.revoke authorization.
$ auths solaris.device.allocate solaris.device.revoke
In this example, the tape drive is forcibly allocated to the user jdoe.
$ allocate -U jdoe
Devices that a user has allocated are not automatically deallocated when the process terminates or when the user logs out. Forcible deallocation is used when a user has forgotten to deallocate a device.
The user or role must have the solaris.device.revoke authorization.
$ auths solaris.device.allocate solaris.device.revoke
In this example, the printer is forcibly deallocated. The printer is now available for allocation by another user.
$ deallocate -f /dev/lp/printer-1
The Primary Administrator role includes the Device Security rights profile. You can also assign the Device Security rights profile to a role that you create. To create the role and assign the role to a user, see Example 9-3.
Change the fifth field in the device entry in the device_allocate file.
audio;audio;reserved;reserved;solaris.device.allocate;/etc/security/lib/audio_clean fd0;fd;reserved;reserved;solaris.device.allocate;/etc/security/lib/fd_clean sr0;sr;reserved;reserved;solaris.device.allocate;/etc/security/lib/sr_clean
where solaris.device.allocate indicates that a user must have the solaris.device.allocate authorization to use the device.
Example 4-4 Permitting Any User to Allocate a Device
In the following example, any user on the system can allocate any device. The fifth field in every device entry in the device_allocate file has been changed to an at sign (@).
$ whoami devicesec $ vi /etc/security/device_allocate audio;audio;reserved;reserved;@;/etc/security/lib/audio_clean fd0;fd;reserved;reserved;@;/etc/security/lib/fd_clean sr0;sr;reserved;reserved;@;/etc/security/lib/sr_clean …
Example 4-5 Preventing Some Peripheral Devices From Being Used
In the following example, the audio device cannot be used. The fifth field in the audio device entry in the device_allocate file has been changed to an asterisk (*).
$ whoami devicesec $ vi /etc/security/device_allocate audio;audio;reserved;reserved;*;/etc/security/lib/audio_clean fd0;fd;reserved;reserved;solaris device.allocate;/etc/security/lib/fd_clean sr0;sr;reserved;reserved;solaris device.allocate;/etc/security/lib/sr_clean …
Example 4-6 Preventing All Peripheral Devices From Being Used
In the following example, no peripheral device can be used. The fifth field in every device entry in the device_allocate file has been changed to an asterisk (*).
$ whoami devicesec $ vi /etc/security/device_allocate audio;audio;reserved;reserved;*;/etc/security/lib/audio_clean fd0;fd;reserved;reserved;*;/etc/security/lib/fd_clean sr0;sr;reserved;reserved;*;/etc/security/lib/sr_clean …
By default, the device allocation commands are in the other audit class.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Add the ot class to the flags line of the audit_control file. The file would appear similar to the following:
# audit_control file dir:/var/audit flags:lo,ot minfree:20 naflags:lo
For detailed instructions, see How to Modify the audit_control File.