System Administration Guide: Security Services


A

	`-A` option, `auditreduce` command ( )

	absolute mode
		changing file permissions ( ) ( )
		changing special file permissions ( )
		description ( )
		setting special permissions ( )

	access
		control lists
			See ACL
		getting to server
			with Kerberos ( )
		granting to your account ( ) ( )
		login authentication with Solaris Secure Shell ( )
		obtaining for a specific service ( )
		restricting for
			devices ( ) ( )
			system hardware ( )
		restricting for KDC servers ( )
		`root` access
			displaying attempts on console ( )
			monitoring `su` command attempts ( ) ( )
			preventing login (RBAC) ( )
			restricting ( ) ( )
		Secure RPC authentication ( )
		security
			ACLs ( )
			controlling system usage ( )
			devices ( )
			file access restriction ( )
			firewall setup ( ) ( )
			login access restrictions ( ) ( )
			login authentication ( )
			login control ( )
			monitoring system usage ( ) ( )
			network control ( )
			NFS client-server ( )
			`PATH` variable setting ( )
			peripheral devices ( )
			physical security ( )
			remote systems ( )
			reporting problems ( )
			`root` login tracking ( )
			saving failed logins ( )
			`setuid` programs ( )
			system hardware ( )
			UFS ACLs ( )
		sharing files ( )
		system logins ( )

	access control list
		See ACL

	Access Control Lists (ACLs), See ACL

	ACL
		changing entries ( )
		checking entries ( ) ( )
		commands ( )
		copying ACL entries ( )
		default entries for directories ( ) ( )
		deleting entries ( ) ( )
		description ( ) ( )
		directory entries ( ) ( )
		displaying entries ( ) ( )
		format of entries ( )
		`kadm5.acl` file ( ) ( ) ( )
		modifying entries ( )
		restrictions on copying entries ( )
		setting entries ( )
		setting on a file ( )
		task map ( )
		user procedures ( )
		valid file entries ( )

	`acl` audit token, format ( )

	`add_drv` command, description ( )

	adding
		ACL entries ( )
		administration principals (Kerberos) ( ) ( )
		allocatable device ( )
		attributes to a rights profile ( )
		audit classes ( ) ( )
		audit directories ( )
		audit policy ( )
		auditing of roles ( )
		auditing of zones ( )
		cryptomgt role ( )
		custom roles (RBAC) ( )
		customized role ( )
		DH authentication to mounted file systems ( )
		dial-up passwords ( )
		hardware provider mechanisms and features ( )
		keys for DH authentication ( )
		library plugin ( )
		local user ( )
		new rights profile ( )
		Operator role ( )
		PAM modules ( )
		password encryption module ( )
		plugins to cryptographic framework ( )
		privileges directly to user or role ( )
		privileges to command ( )
		RBAC properties to legacy applications ( )
		rights profiles with Solaris Management Console ( )
		roles
			for particular profiles ( )
			from command line ( )
			to a user ( )
			with limited scope ( )
		security attributes to legacy applications ( )
		security-related role ( )
		security-related roles ( )
		security to devices ( ) ( )
		security to system hardware ( )
		service principal to keytab file (Kerberos) ( )
		software provider ( )
		System Administrator role ( )
		user-level software provider ( )

	`admin_server` section
		`krb5.conf` file ( ) ( )

	administering
		ACLs ( )
		auditing
			audit classes ( ) ( ) ( )
			audit events ( )
			audit files ( )
			audit records ( )
			audit trail overflow prevention ( )
			`auditreduce` command ( )
			cost control ( )
			description ( )
			efficiency ( )
			process preselection mask ( )
			reducing storage-space requirements ( )
			task map ( )
			in zones ( ) ( )
		auditing in zones ( )
		cryptographic framework ( )
		cryptographic framework and zones ( )
		cryptographic framework task map ( )
		device allocation ( )
		device policy ( )
		dial-up logins ( )
		file permissions ( ) ( )
		Kerberos
			keytabs ( )
			policies ( )
			principals ( )
		metaslot ( )
		NFS client-server file security ( )
		password algorithms ( )
		privileges ( )
		properties of a role ( )
		RBAC properties ( )
		remote logins with Solaris Secure Shell ( )
		rights profiles ( )
		role password ( )
		roles ( )
		roles to replace superuser ( )
		Secure RPC task map ( )
		Solaris Secure Shell
			clients ( )
			overview ( )
			servers ( )
			task map ( )
		without privileges ( )

	`administrative (old)` audit class ( )

	`administrative` audit class ( )

	AES kernel provider ( )

	`aes128-cbc` encryption algorithm, `ssh_config` file ( )

	`aes128-ctr` encryption algorithm, `ssh_config` file ( )

	agent daemon, Solaris Secure Shell ( )

	`ahlt` audit policy
		description ( )
		setting ( )

	algorithms
		definition in cryptographic framework ( )
		listing in the cryptographic framework ( )
		password
			configuration ( )
		password encryption ( )

	`all`, in user audit fields ( )

	All (RBAC), rights profile ( )

	`all` audit class
		caution for using ( )
		description ( )

	`allhard` string, `audit_warn` script ( )

	`allocate` command
		allocate error state ( )
		authorizations for ( )
		authorizations required ( )
		description ( )
		tape drive ( )
		user authorization ( )
		using ( )

	allocate error state ( )

	allocating devices
		by users ( )
		forcibly ( )
		task map ( )
		troubleshooting ( )

	`AllowGroups` keyword, `sshd_config` file ( )

	`AllowTcpForwarding` keyword
		changing ( )
		`sshd_config` file ( )

	`AllowUsers` keyword, `sshd_config` file ( )

	`allsoft` string, `audit_warn` script ( )

	`ALTSHELL` in Solaris Secure Shell ( )

	always-audit classes
		`audit_user` database ( )
		process preselection mask ( )

	analysis, `praudit` command ( )

	appending arrow (>>), preventing appending ( )

	`application` audit class ( )

	application server, configuring ( )

	`arbitrary` audit token
		format ( )
		item size field ( )
		print format field ( )

	`arcfour` encryption algorithm, `ssh_config` file ( )

	ARCFOUR kernel provider ( )

	Archive tape drive device-clean script ( )

	archiving, audit files ( )

	`arg` audit token, format ( )

	`arge` audit policy
		and `exec_env` token ( )
		description ( )

	`arge` audit policy, setting ( )

	`argv` audit policy
		and `exec_args` token ( )
		description ( )

	`argv` audit policy, setting ( )

	ASET
		aliases file
			description ( )
			examples ( )
			`UID_ALIASES` variable ( )
		`aset` command
			`-p` option ( )
			interactive version ( )
			starting ( )
		`aset.restore` command ( )
		`ASETDIR` variable ( )
		`asetenv` file ( ) ( )
		`ASETSECLEVEL` variable ( )
		`CKLISTPATH_level` variable ( )
		collecting reports ( )
		configuring ( ) ( )
		description ( ) ( )
		environment file ( )
		environment variables ( )
		error messages ( )
		execution log ( )
		master files ( ) ( ) ( )
		NFS services and ( )
		`PERIODIC_SCHEDULE` variable ( ) ( )
		restoring original system state ( )
		running ASET periodically ( )
		running interactively ( )
		running periodically ( )
		scheduling ASET execution ( ) ( )
		stopping from running periodically ( )
		task map ( )
		`TASKS` variable ( ) ( )
		troubleshooting ( )
		tune file examples ( )
		tune files ( ) ( )
		`uid_aliases` file ( )
		`UID_ALIASES` variable ( ) ( ) ( )
		working directory ( )
		`YPCHECK` variable ( ) ( )

	assigning
		privileges to commands in a rights profile ( )
		privileges to commands in a script ( )
		privileges to user or role ( )
		role to a user ( ) ( )
		role to a user locally ( )

	assuming role
		how to ( ) ( )
		in a terminal window ( )
		in Solaris Management Console ( )
		Primary Administrator ( )
		`root` ( )
		System Administrator ( )

	asterisk (*)
		checking for in RBAC authorizations ( )
		`device_allocate` file ( ) ( )
		wildcard character
			in ASET ( ) ( )
			in RBAC authorizations ( ) ( )

	`at` command, authorizations required ( )

	at sign (@), `device_allocate` file ( )

	`atq` command, authorizations required ( )

	`attribute` audit token ( )

	attributes, keyword in BART ( )

	audio devices, security ( )

	`audit administration` audit class ( )

	audit characteristics
		audit ID ( )
		process preselection mask ( )
		processes ( )
		session ID ( )
		terminal ID ( )
		user process preselection mask ( )

	`audit_class` file
		adding a class ( )
		description ( )
		troubleshooting ( )

	audit class preselection, effect on public objects ( )

	audit classes
		adding ( )
		definitions ( )
		description ( ) ( )
		entries in `audit_control` file ( )
		exceptions in `audit_user` database ( )
		exceptions to system-wide settings ( )
		mapping events ( )
		modifying default ( )
		overview ( )
		prefixes ( )
		preselecting ( )
		preselection ( )
		process preselection mask ( )
		setting system-wide ( )
		syntax ( ) ( )
		system-wide ( )

	`audit` command
		description ( )
		preselection mask for existing processes (`-s` option) ( )
		rereading audit files (`-s` option) ( )
		resetting directory pointer (`-n` option) ( )
		updating audit service ( )
		verifying syntax of `audit_control` file (`-v` option) ( )

	audit configuration file, See `audit_control` file

	`audit_control` file
		audit daemon rereading after editing ( )
		changing kernel mask for nonattributable events ( )
		configuring ( )
		description ( )
		entries ( )
		entries and zones ( )
		examples ( )
		exceptions to `flags` in `audit_user` database ( )
		`flags` line
			process preselection mask ( )
		`minfree` warning ( )
		`plugin` line ( )
		prefixes in `flags` line ( )
		syntax problem ( )
		system-wide audit ( )
		verifying classes ( )
		verifying syntax ( )

	Audit Control rights profile ( )

	audit daemon, See `auditd` daemon

	audit directory
		creating ( )
		description ( )
		partitioning for ( )
		sample structure ( )

	`audit_event` file
		changing class membership ( )
		description ( )
		removing events safely ( )

	audit events
		`audit_event` file ( )
		changing class membership ( )
		description ( )
		mapping to classes ( )
		selecting from audit trail ( )
		selecting from audit trail in zones ( )
		summary ( )
		viewing from binary files ( )

	audit files
		`auditreduce` command ( )
		combining ( ) ( )
		configuring ( )
		copying messages to single file ( )
		limiting size of ( )
		managing ( )
		minimum free space for file systems ( )
		names ( ) ( )
		order for opening ( )
		partitioning disk for ( )
		printing ( )
		reducing ( ) ( )
		reducing storage-space requirements ( ) ( )
		switching to new file ( )
		time stamps ( ) ( )

	audit ID
		mechanism ( )
		overview ( )

	audit logs
		See also audit files
		comparing binary and textual ( )
		configuring textual audit logs ( )
		in text ( )
		modes ( )

	audit messages, copying to single file ( )

	`audit.notice` entry, `syslog.conf` file ( )

	audit plugins, summary ( )

	audit policy
		audit tokens from ( )
		defaults ( )
		description ( )
		effects of ( )
		`public` ( )
		setting ( )
		setting `ahlt` ( )
		setting `arge` ( )
		setting `argv` ( )
		setting in global zone ( ) ( )
		setting `perzone` ( )
		that does not affect tokens ( )
		tokens added by ( )
		updating dynamically ( )

	audit prerequisite, correctly configured `hosts` database ( )

	audit preselection mask
		modifying for existing users ( )
		modifying for individual users ( )

	audit records
		audit directories full ( ) ( )
		converting to readable format ( ) ( ) ( )
		description ( )
		displaying ( )
		displaying formats of
			procedure ( )
			summary ( )
		displaying formats of a program ( )
		displaying formats of an audit class ( )
		displaying in XML format ( )
		events that generate ( )
		format ( )
		formatting example ( )
		merging ( )
		overview ( )
		reducing audit files ( )
		sequence of tokens ( )
		`syslog.conf` file ( )
		`/var/adm/auditlog` file ( )

	Audit Review rights profile ( )

	audit session ID ( )

	`audit_startup` script
		configuring ( )
		description ( )

	audit threshold ( )

	audit tokens
		See also individual audit token names
		added by audit policy ( )
		audit record format ( )
		description ( ) ( )
		format ( )
		list of ( )
		new in current release ( )

	audit trail
		analysis costs ( )
		analysis with `praudit` command ( )
		cleaning up not terminated files ( )
		creating
			`auditd` daemon's role ( )
		description ( )
		effect of audit policy on ( )
		events included ( )
		merging all files ( )
		monitoring in real time ( )
		no public objects ( )
		overview ( )
		preventing overflow ( )
		selecting events from ( )
		viewing events from ( )
		viewing events from different zones ( )

	`audit_user` database
		exception to system-wide audit classes ( )
		prefixes for classes ( )
		process preselection mask ( )
		specifying user exceptions ( )
		user audit fields ( )

	`audit_user` file, verifying classes ( )

	`audit_warn` script
		`auditd` daemon execution of ( )
		conditions invoking ( )
		configuring ( )
		description ( )
		strings ( )

	`auditconfig` command
		audit classes as arguments ( ) ( )
		description ( )
		prefixes for classes ( )
		setting audit policy ( ) ( )

	`auditd` daemon
		audit trail creation ( ) ( )
		`audit_warn` script
			description ( ) ( )
			execution of ( )
		functions ( )
		order audit files are opened ( ) ( )
		plugins loaded by ( )
		rereading information for the kernel ( )
		rereading the `audit_control` file ( ) ( )

	auditing
		all commands by users ( )
		changes in current release ( )
		changes in device policy ( )
		configuring identically for all zones ( )
		configuring in global zone ( ) ( )
		configuring per-zone ( )
		device allocation ( )
		disabling ( )
		enabling ( )
		finding changes to specific files ( )
		`hosts` database prerequisite ( )
		logins ( )
		planning ( )
		planning in zones ( ) ( )
		preselection definition ( )
		privileges and ( )
		rights profiles for ( )
		roles ( )
		`sftp` file transfers ( )
		troubleshooting ( )
		troubleshooting `praudit` command ( )
		updating information ( )
		zones and ( ) ( )

	`auditlog` file, text audit records ( )

	`auditreduce` command ( )
		`-c` option ( )
		`-O` option ( )
		cleaning up audit files ( )
		description ( )
		examples ( )
		filtering options ( )
		merging audit records ( )
		options ( )
		selecting audit records ( )
		timestamp use ( )
		trailer tokens, and ( )
		using lowercase options ( )
		using uppercase options ( )
		without options ( )

	`auth_attr` database
		description ( )
		summary ( )

	`AUTH_DES` authentication, See `AUTH_DH` authentication

	`AUTH_DH` authentication, and NFS ( )

	authentication
		`AUTH_DH` client-server session ( )
		configuring cross-realm ( )
		description ( )
		DH authentication ( )
		disabling with `-X` option ( )
		Kerberos and ( )
		name services ( )
		network security ( )
		NFS-mounted files ( ) ( )
		overview of Kerberos ( )
		Secure RPC ( )
		Solaris Secure Shell
			methods ( )
			process ( )
		terminology ( )
		types ( )
		use with NFS ( )

	authentication methods
		GSS-API credentials in Solaris Secure Shell ( )
		host-based in Solaris Secure Shell ( ) ( )
		keyboard-interactive in Solaris Secure Shell ( )
		password in Solaris Secure Shell ( )
		public keys in Solaris Secure Shell ( )
		Solaris Secure Shell ( )

	authenticator
		in Kerberos ( ) ( )

	`authlog` file, saving failed login attempts ( )

	authorizations
		Kerberos and ( )
		types ( )

	authorizations (RBAC)
		checking for wildcards ( )
		checking in privileged application ( )
		commands that require authorizations ( )
		database ( ) ( )
		definition ( )
		delegating ( )
		description ( ) ( )
		for allocating device ( )
		for device allocation ( )
		granularity ( )
		naming convention ( )
		not requiring for device allocation ( )
		`solaris.device.allocate` ( ) ( )
		`solaris.device.revoke` ( )

	`authorized_keys` file, description ( )

	`AuthorizedKeysFile` keyword, `sshd_config` file ( )

	`auths` command, description ( )

	`AUTHS_GRANTED` keyword, `policy.conf` file ( )

	`auto_transition` option, SASL and ( )

	Automated Security Enhancement Tool, See ASET

	automatic login
		disabling ( )
		enabling ( )

	automatically enabling auditing ( )

	automating principal creation ( )

	`auxprop_login` option, SASL and ( )