- System Administration Guide: Security Services

Overview of Kerberized Commands

-s option

audit command,

auditd Daemon

praudit command,

praudit Command

safe protection level,

SASL

environment variable,

SASL Environment Variable

options,

SASL Options

overview,

SASL (Overview)

plug-ins,

SASL Plug-ins

saslauthd_path option, SASL and,

SASL Options

saving, failed login attempts,

How to Monitor Failed Login Attempts

scope (RBAC), description,

Name Service Scope and RBAC

scp command

copying files with,

description,

scripts

audit_startup script,

audit_startup Script

audit_warn script,

How to Make a Device Allocatable

bsmconv effect,

system File

bsmconv for device allocation,

bsmconv script,

bsmconv Script

bsmconv to enable auditing,

How to Enable the Audit Service

checking for RBAC authorizations,

How to Add RBAC Properties to Legacy Applications

device-clean scripts

See also device-clean scripts

for cleaning devices,

Assigning Privileges to a Script

monitoring audit files example,

Auditing Efficiently

processing praudit output,

praudit Command

running with privileges,

securing,

How to Add RBAC Properties to Legacy Applications

use of privileges in,

How to Run a Shell Script With Privileged Commands

SCSI devices, st_clean script,

device_allocate File

SEAM Tool

and limited administration privileges,

Using the SEAM Tool With Limited Kerberos Administration Privileges

and list privileges,

Using the SEAM Tool With Limited Kerberos Administration Privileges

and X Window system,

Command-Line Equivalents of the SEAM Tool

command-line equivalents,

Command-Line Equivalents of the SEAM Tool

context-sensitive help,

How to Create a New Kerberos Principal

creating a new policy

How to Create a New Kerberos Policy

creating a new principal,

How to Create a New Kerberos Principal

default values,

How to Start the SEAM Tool

deleting a principal,

How to Delete a Kerberos Principal

deleting policies,

How to Delete a Kerberos Policy

displaying sublist of principals,

How to View the List of Kerberos Principals

duplicating a principal,

How to Duplicate a Kerberos Principal

files modified by,

The Only File Modified by the SEAM Tool

Filter Pattern field,

How to View the List of Kerberos Principals

gkadmin command,

Ways to Administer Kerberos Principals and Policies

.gkadmin file,

The Only File Modified by the SEAM Tool

help,

Help Contents,

Using the SEAM Tool With Limited Kerberos Administration Privileges

how affected by privileges,

kadmin command,

Ways to Administer Kerberos Principals and Policies

How to Start the SEAM Tool

modifying a policy,

How to Modify a Kerberos Policy

modifying a principal,

How to Modify a Kerberos Principal

online help,

SEAM Tool Panel Descriptions

or kadmin command,

SEAM Tool

overview,

SEAM Tool

panel descriptions,

privileges,

Using the SEAM Tool With Limited Kerberos Administration Privileges

setting up principal defaults,

How to Set Up Defaults for Creating New Kerberos Principals

starting,

How to Start the SEAM Tool

table of panels,

SEAM Tool Panel Descriptions

viewing a principal's attributes,

How to View a Kerberos Principal's Attributes

viewing list of policies,

How to View the List of Kerberos Policies

viewing list of principals,

How to View the List of Kerberos Principals

viewing policy attributes,

How to View a Kerberos Policy's Attributes

secondary audit directory,

audit_control File

secret keys

creating

How to Generate a Symmetric Key by Using the dd Command

How to Generate a Symmetric Key by Using the pktool Command

generating

using the dd command,

How to Generate a Symmetric Key by Using the dd Command

using the pktool command,

How to Generate a Symmetric Key by Using the pktool Command

generating for Secure RPC,

Secure by Default installation option,

How to Set Up Default Connections to Hosts Outside a Firewall

secure connection

across a firewall,

logging in,

How to Log In to a Remote Host With Solaris Secure Shell

Secure NFS,

NFS Services and Secure RPC

Secure RPC

alternative,

Authentication and Authorization for Remote Access

and Kerberos,

Kerberos Authentication

description,

Overview of Secure RPC

implementation of,

keyserver,

Authentication and Authorization for Remote Access

overview,

securing

logins task map,

Securing Logins and Passwords (Task Map)

network at installation,

Securing Logins and Passwords (Task Map)

passwords task map,

scripts,

How to Add RBAC Properties to Legacy Applications

security

across insecure network,

How to Set Up Default Connections to Hosts Outside a Firewall

auditing and,

How Is Auditing Related to Security?

BART

Using the Basic Audit Reporting Tool (Tasks)

BART Security Considerations

computing digest of files,

How to Compute a Digest of a File

computing MAC of files,

How to Compute a MAC of a File

cryptographic framework,

Oracle Solaris Cryptographic Framework (Overview)

devices,

Controlling Access to Devices

DH authentication,

How to Encrypt and Decrypt a File

encrypting files,

installation options,

How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes

Kerberos authentication,

key management framework,

Oracle Solaris Key Management Framework

netservices limited installation option,

NFS client-server,

Using the Solaris Security Toolkit

password encryption,

Password Encryption

pointer to JASS toolkit,

policy overview,

Oracle Solaris Security Policy

preventing remote login,

Using Oracle Solaris Resource Management Features

protecting against denial of service,

protecting against Trojan horse,

Setting the PATH Variable

protecting devices,

protecting hardware,

protecting PROM,

Secure by Default,

Using Solaris Secure Shell (Tasks)

Solaris Secure Shell,

system hardware,

Managing Machine Security (Overview)

systems,

security attributes

checking for,

Applications That Check UIDs and GIDs

considerations when directly assigning,

Security Considerations When Directly Assigning Security Attributes

description,

Oracle Solaris RBAC Elements and Basic Concepts

Printer management rights profile,

Oracle Solaris RBAC Elements and Basic Concepts

privileges on commands,

Applications That Check for Privileges

special ID on commands,

Applications That Check UIDs and GIDs

using to mount allocated device,

How to Authorize Users to Allocate a Device

security mechanism, specifying with -m option,

Overview of Kerberized Commands

security modes, setting up environment with multiple,

How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes

security policy, default (RBAC),

Databases That Support RBAC

security service, Kerberos and,

Kerberos Security Services

selecting

audit classes,

How to Modify the audit_control File

audit records,

How to Select Audit Events From the Audit Trail

events from audit trail,

How to Select Audit Events From the Audit Trail

semicolon (;)

device_allocate file,

device_allocate File

separator of security attributes,

exec_attr Database

sendmail command, authorizations required,

Commands That Require Authorizations

seq audit policy

and sequence token

Determining Audit Policy

sequence Token

description,

Determining Audit Policy

sequence audit token

and seq audit policy,

sequence Token

format,

sequence Token

servers

AUTH_DH client-server session,

Server Configuration in Solaris Secure Shell

configuring for Solaris Secure Shell,

definition in Kerberos,

Gaining Access to a Service Using Kerberos

gaining access with Kerberos,

obtaining credential for,

Obtaining a Credential for a Server

realms and,

Kerberos Servers

service

definition in Kerberos,

How to Temporarily Disable Authentication for a Service on a Host

disabling on a host,

obtaining access for specific service,

Obtaining Access to a Specific Service

service keys

definition in Kerberos,

Administering Keytab Files

keytab files and,

service management facility

enabling keyserver,

How to Add a Software Provider

refreshing cryptographic framework,

restarting cryptographic framework,

How to Refresh or Restart All Cryptographic Services

restarting Solaris Secure Shell,

How to Configure Port Forwarding in Solaris Secure Shell

Service Management Facility (SMF), See SMF

service principal

adding to keytab file

Administering Keytab Files

How to Add a Kerberos Service Principal to a Keytab File

description,

Kerberos Principals

planning for names,

Client and Service Principal Names

removing from keytab file,

How to Remove a Service Principal From a Keytab File

session ID, audit,

Proscess Audit Characteristics

session keys

definition in Kerberos,

How the Kerberos Authentication System Works

Kerberos authentication and,

setfacl command

-d option,

How to Delete ACL Entries From a File

description,

Commands for Administering UFS ACLs

examples,

How to Change ACL Entries on a File

-f option,

How to Copy an ACL

syntax,

How to Add ACL Entries to a File

setgid permissions

absolute mode

How to Change Special File Permissions in Absolute Mode

description,

setgid Permission

security risks,

setgid Permission

symbolic mode,

How to Generate a Passphrase by Using the pktool setpin Command

setpin subcommand, pktool command,

setting

arge policy,

How to Audit All Commands by Users

argv policy,

How to Audit All Commands by Users

audit policy,

How to Configure Audit Policy

principal defaults (Kerberos),

How to Set Up Defaults for Creating New Kerberos Principals

setuid permissions

absolute mode

How to Change Special File Permissions in Absolute Mode

description,

setuid Permission

finding files with permissions set,

How to Find Files With Special File Permissions

security risks

Restricting setuid Executable Files

setuid Permission

symbolic mode,

How to Audit FTP and SFTP File Transfers

sftp command

auditing file transfers,

copying files with,

description,

How to List Available Providers

sh command, privileged version,

Profile Shell in RBAC

SHA1 kernel provider,

sharing files

and network security,

Sharing Files Across Machines

with DH authentication,

How to Share NFS Files With Diffie-Hellman Authentication

shell, privileged versions,

Profile Shell in RBAC

shell commands

/etc/d_passwd file entries,

Dial-Up Logins

passing parent shell process number,

How to Determine the Privileges on a Process

shell process, listing its privileges,

How to Determine the Privileges on a Process

shell scripts, writing privileged,

How to Run a Shell Script With Privileged Commands

short praudit output format,

praudit Command

shosts.equiv file, description,

.shosts file, description,

signal received during auditing shutdown,

Plugins to the Oracle Solaris Cryptographic Framework

signing providers, cryptographic framework,

single-sign-on system,

Kerberos User Commands

Kerberos and,

What Is the Kerberos Service?

size of audit files

reducing

How to Merge Audit Files From the Audit Trail

auditreduce Command

reducing storage-space requirements,

Auditing Efficiently

slave_datatrans file

description,

Kerberos Files

KDC propagation and,

Backing Up and Propagating the Kerberos Database

slave_datatrans_slave file, description,

Kerberos Files

slave KDCs

configuring,

Kerberos-Specific Terminology

definition,

master KDC and,

Kerberos Servers

or master,

Configuring KDC Servers

planning for,

The Number of Slave KDCs

swapping with master KDC,

Swapping a Master KDC and a Slave KDC

slot, definition in cryptographic framework,

Terminology in the Oracle Solaris Cryptographic Framework

smartcard documentation, pointer to,

Authentication Services

smattrpop command, description,

smexec command, description,

Administrative Commands in the Oracle Solaris Cryptographic Framework

SMF

See also service management facility

cryptographic framework service,

kcfd service,

Administrative Commands in the Oracle Solaris Cryptographic Framework

managing Secure by Default configuration,

How to Configure Port Forwarding in Solaris Secure Shell

ssh service,

smmultiuser command, description,

How to Create or Change a Rights Profile

smprofile command

changing rights profile,

description,

How to Change the Password of a Role

smrole command

changing properties of role

How to Change the Properties of a Role

description,

How to Create a Role From the Command Line

using,

smuser command

changing user's RBAC properties,

How to Change the RBAC Properties of a User

description,

socket audit token,

socket Token

soft limit

audit_warn condition,

minfree line description,

audit_control File

soft string, audit_warn script,

Solaris Auditing (Task Map)

Solaris auditing task map,

solaris.device.revoke authorization,

Device Allocation Commands

Solaris Secure Shell

adding to system,

Solaris Secure Shell Packages and Initialization

administering,

A Typical Solaris Secure Shell Session

administrator task map

Solaris Secure Shell (Task Map)

Configuring Solaris Secure Shell (Task Map)

authentication

requirements for,

Solaris Secure Shell Authentication

authentication methods,

Solaris Secure Shell Authentication

authentication steps,

Authentication and Key Exchange in Solaris Secure Shell

basis from OpenSSH,

Solaris Secure Shell and the OpenSSH Project

changes in current release,

Solaris Secure Shell and the OpenSSH Project

changing passphrase,

How to Change the Passphrase for a Solaris Secure Shell Private Key

command execution,

Command Execution and Data Forwarding in Solaris Secure Shell

configuring clients,

Client Configuration in Solaris Secure Shell

configuring port forwarding,

How to Configure Port Forwarding in Solaris Secure Shell

configuring server,

Server Configuration in Solaris Secure Shell

connecting across a firewall,

How to Set Up Default Connections to Hosts Outside a Firewall

connecting outside firewall

from command line,

How to Set Up Default Connections to Hosts Outside a Firewall

from configuration file,

How to Set Up Default Connections to Hosts Outside a Firewall

copying files,

How to Generate a Public/Private Key Pair for Use With Solaris Secure Shell

creating keys,

data forwarding,

Command Execution and Data Forwarding in Solaris Secure Shell

description,

Solaris Secure Shell (Overview)

files,

forwarding mail,

How to Generate a Public/Private Key Pair for Use With Solaris Secure Shell

generating keys,

keywords,

local port forwarding

How to Reduce Password Prompts in Solaris Secure Shell

logging in fewer prompts,

logging in to remote host,

How to Log In to a Remote Host With Solaris Secure Shell

Solaris Secure Shell and Login Environment Variables

naming identity files,

Solaris Secure Shell Packages and Initialization

packages,

protocol versions,

Solaris Secure Shell (Overview)

public key authentication,

Solaris Secure Shell Authentication

remote port forwarding,

scp command,

How to Configure Port Forwarding in Solaris Secure Shell

TCP and,

typical session,

A Typical Solaris Secure Shell Session

user procedures,

Using Solaris Secure Shell (Task Map)

using port forwarding,

How to Reduce Password Prompts in Solaris Secure Shell

using without password,

solaris security policy,

exec_attr Database

special permissions

setgid permissions,

setgid Permission

setuid permissions,

setuid Permission

sticky bit,

Sticky Bit

square brackets ([]), bsmrecord output,

Audit Record Analysis

sr_clean script, description,

ssh-add command

description,

How to Reduce Password Prompts in Solaris Secure Shell

example

storing private keys,

How to Reduce Password Prompts in Solaris Secure Shell

ssh-agent command

configuring for CDE,

How to Set Up the ssh-agent Command to Run Automatically in CDE

description,

How to Reduce Password Prompts in Solaris Secure Shell

from command line,

in scripts,

How to Set Up the ssh-agent Command to Run Automatically in CDE

ssh command

description,

overriding keyword settings,

port forwarding options,

How to Log In to a Remote Host With Solaris Secure Shell

using,

using a proxy command,

How to Set Up Default Connections to Hosts Outside a Firewall

.ssh/config file

description,

override,

Client Configuration in Solaris Secure Shell

ssh_config file

configuring Solaris Secure Shell,

host-specific parameters,

Host-Specific Parameters in Solaris Secure Shell

keywords,

See specific keyword

override,

.ssh/environment file, description,

ssh_host_dsa_key file, description,

ssh_host_dsa_key.pub file, description,

ssh_host_key file

description,

override,

ssh_host_key.pub file, description,

ssh_host_rsa_key file, description,

ssh_host_rsa_key.pub file, description,

.ssh/id_dsa file,

.ssh/id_rsa file,

.ssh/identity file,

ssh-keygen command

description,

How to Generate a Public/Private Key Pair for Use With Solaris Secure Shell

using,

ssh-keyscan command, description,

ssh-keysign command, description,

.ssh/known_hosts file

description,

override,

ssh_known_hosts file,

.ssh/rc file, description,

sshd command, description,

sshd_config file

description,

keywords,

Solaris Secure Shell and Login Environment Variables

See specific keyword

overrides of /etc/default/login entries,

sshd.pid file, description,

sshrc file, description,

st_clean script

description,

for tape drives,

device_allocate File

standard cleanup, st_clean script,

Automated Security Enhancement Tool (ASET)

starting

ASET from shell,

ASET interactively,

How to Run ASET Interactively

audit daemon,

How to Update the Audit Service

auditing,

How to Enable the Audit Service

device allocation,

How to Make a Device Allocatable

KDC daemon

How to Configure a Slave KDC to Use Full Propagation

running ASET periodically,

How to Run ASET Periodically

Secure RPC keyserver,

stash file

creating

How to Configure a Slave KDC to Use Full Propagation

definition,

Kerberos-Specific Terminology

sticky bit permissions

absolute mode

How to Change Special File Permissions in Absolute Mode

description,

Sticky Bit

symbolic mode,

How to Temporarily Disable Dial-Up Logins

stopping, dial-up logins temporarily,

storage costs, and auditing,

Cost of Storage of Audit Data

storage overflow prevention, audit trail,

How to Prevent Audit Trail Overflow

storing

audit files

How to Plan Storage for Audit Records

How to Create Partitions for Audit Files

passphrase,

How to Encrypt and Decrypt a File

StrictHostKeyChecking keyword, ssh_config file,

StrictModes keyword, sshd_config file,

su command

displaying access attempts on console,

How to Assume a Role in a Terminal Window

in role assumption

How to Assume a Role in the Solaris Management Console

monitoring use,

su file, monitoring su command,

subject audit token, format,

subject Token

Subsystem keyword, sshd_config file,

success

audit class prefix,

Audit Class Syntax

turning off audit classes for,

Audit Class Syntax

sufficient control flag, PAM,

How PAM Stacking Works

sulog file,

monitoring contents of,

How to Disable Hardware Provider Mechanisms and Features

Sun Crypto Accelerator 1000 board, listing mechanisms,

Sun Crypto Accelerator 6000 board

hardware plugin to cryptographic framework,

Oracle Solaris Cryptographic Framework

listing mechanisms,

How to List Hardware Providers

SUPATH in Solaris Secure Shell,

Solaris Secure Shell and Login Environment Variables

superuser

compared to privilege model,

Privileges (Overview)

compared to RBAC model,

RBAC: An Alternative to the Superuser Model

differences from privilege model,

Administrative Differences on a System With Privileges

eliminating in RBAC,

RBAC Roles

monitoring access attempts,

How to Make root User Into a Role

troubleshooting becoming root as a role,

troubleshooting remote access,

Scope of the Oracle Solaris Cryptographic Framework

suser security policy,

exec_attr Database

svcadm command

administering cryptographic framework

Administrative Commands in the Oracle Solaris Cryptographic Framework

enabling cryptographic framework,

How to Refresh or Restart All Cryptographic Services

enabling keyserver daemon,

How to Add a Software Provider

refreshing cryptographic framework,

restarting

Solaris Secure Shell,

How to Configure Port Forwarding in Solaris Secure Shell

syslog daemon,

How to Create and Assign a Role by Using the GUI

restarting name service,

restarting NFS server,

How to Create Partitions for Audit Files

restarting syslog daemon,

How to Configure syslog Audit Logs

svcs command

listing cryptographic services,

How to Refresh or Restart All Cryptographic Services

listing keyserver service,

Swapping a Master KDC and a Slave KDC

swapping master and slave KDCs,

symbolic links, file permissions,

UNIX File Permissions

symbolic mode

changing file permissions

How to Change File Permissions in Symbolic Mode

description,

How to Manually Configure a Master KDC

synchronizing clocks

master KDC

How to Configure a KDC to Use an LDAP Data Server

overview,

Synchronizing Clocks Between KDCs and Kerberos Clients

slave KDC

How to Configure a Slave KDC to Use Full Propagation

SYS privileges,

Privilege Descriptions

sysconf.rpt file

System Configuration Files Check

Format of ASET Report Files

syslog.conf file

and auditing,

syslog.conf File

audit.notice level,

How to Configure syslog Audit Logs

audit records,

How Does Auditing Work?

executable stack messages,

Preventing Executable Files From Compromising Security

kern.notice level,

Preventing Executable Files From Compromising Security

priv.debug entry,

Files With Privilege Information

saving failed login attempts,

Solaris Secure Shell and Login Environment Variables

SYSLOG_FAILED_LOGINS

in Solaris Secure Shell,

system variable,

syslog format, audit records,

syslog.conf File

SyslogFacility keyword, sshd_config file,

How to Assume a Role in a Terminal Window

System Administrator (RBAC)

assuming role,

creating role,

How to Create and Assign a Role by Using the GUI

protecting hardware,

How to Require a Password for Hardware Access

recommended role,

RBAC: An Alternative to the Superuser Model

rights profile,

System Administrator Rights Profile

system calls

arg audit token,

arg Token

close,

exec_args audit token,

exec_args Token

exec_env audit token,

exec_env Token

ioctl(),

ioctl to clean audio device,

return audit token,

return Token

system file, bsmconv effect on,

system File

system hardware, controlling access to,

Managing Machine Security (Overview)

system properties, privileges relating to,

Privilege Descriptions

system security

access,

dial-up logins and passwords,

Dial-Up Logins

dial-up passwords

disabling temporarily,

How to Temporarily Disable Dial-Up Logins

displaying

user's login status

How to Display a User's Login Status

users with no passwords,

How to Display Users Without Passwords

firewall systems,

Firewall Systems

hardware protection

Maintaining Physical Security

Maintaining Login Control

machine access,

Maintaining Physical Security

overview

Managing Machine Security (Overview)

Controlling Access to a Computer System

password encryption,

Password Encryption

passwords,

Managing Password Information

privileges,

Privileges (Overview)

protecting from risky programs,

Protecting Against Programs With Security Risk (Task Map)

restricted shell

Assigning a Restricted Shell to Users

restricting remote root access,

Configuring Role-Based Access Control to Replace Superuser

role-based access control (RBAC)

RBAC: An Alternative to the Superuser Model

root access restrictions

Restricting root Access to Shared Files

How to Monitor Failed Login Attempts

saving failed login attempts,

special logins,

Special System Logins

su command monitoring

Limiting and Monitoring Superuser

Protecting Against Programs With Security Risk (Task Map)

task map,

UFS ACLS,

Using Access Control Lists to Protect UFS Files

system state audit class,

System V IPC

ipc audit class,

How to Specify an Algorithm for Password Encryption

ipc audit token,

ipc Token

ipc_perm audit token,

ipc_perm Token

privileges,

Privilege Descriptions

system variables

See also variables

CRYPT_DEFAULT,

KEYBOARD_ABORT,

How to Disable a System's Abort Sequence

noexec_user_stack,

How to Disable Programs From Using Executable Stacks

noexec_user_stack_log,

How to Disable Programs From Using Executable Stacks

rstchown,

How to Change the Owner of a File

SYSLOG_FAILED_LOGINS,

system-wide administration audit class,