- System Administration Guide: Security Services

-a, auditrecord command,

-a option

auditrecord command,

How to Compute a Digest of a File

digest command,

encrypt command,

How to Encrypt and Decrypt a File

Kerberized commands,

How to Compute a MAC of a File

mac command,

absolute mode

changing file permissions

File Permission Modes

How to Change File Permissions in Absolute Mode

changing special file permissions,

How to Change Special File Permissions in Absolute Mode

description,

File Permission Modes

setting special permissions,

File Permission Modes

access

control lists

See ACL

getting to server

with Kerberos,

Gaining Access to a Service Using Kerberos

granting to your account

Granting Access to Your Account

How to Reduce Password Prompts in Solaris Secure Shell

obtaining for a specific service,

Obtaining Access to a Specific Service

restricting for

devices

Controlling Access to Devices

Configuring Device Policy

system hardware,

Controlling Access to System Hardware

restricting for KDC servers,

How to Restrict Access to KDC Servers

root access

displaying attempts on console,

How to Restrict and Monitor Superuser Logins

monitoring su command attempts

Limiting and Monitoring Superuser

How to Monitor Who Is Using the su Command

preventing login (RBAC),

How to Make root User Into a Role

restricting

Restricting root Access to Shared Files

How to Restrict and Monitor Superuser Logins

Secure RPC authentication,

Overview of Secure RPC

security

ACLs,

Using Access Control Lists

controlling system usage,

Controlling Access to Machine Resources

devices,

Configuring Device Policy

file access restriction,

Restricting Access to Data in Files

firewall setup

Firewall Systems

Maintaining Login Control

How to Reduce Password Prompts in Solaris Secure Shell

Maintaining Login Control

monitoring system usage

Monitoring Use of Machine Resources

Monitoring File Integrity

network control,

Controlling Network Access

NFS client-server,

Implementation of Diffie-Hellman Authentication

PATH variable setting,

Setting the PATH Variable

peripheral devices,

Controlling Access to Devices

physical security,

Maintaining Physical Security

remote systems,

Solaris Secure Shell (Overview)

reporting problems,

Reporting Security Problems

root login tracking,

Limiting and Monitoring Superuser

saving failed logins,

How to Monitor Failed Login Attempts

setuid programs,

Restricting setuid Executable Files

system hardware,

Controlling Access to System Hardware

UFS ACLs,

Sharing Files Across Machines

sharing files,

system logins,

Special System Logins

access control list

See ACL

Access Control Lists (ACLs), See ACL

ACL

description

Using Access Control Lists

format of entries,

How to Create a New Kerberos Principal

kadm5.acl file

How to Duplicate a Kerberos Principal

How to Modify the Kerberos Administration Privileges

restrictions on copying entries,

acl audit token, format,

acl Token

active audit policy, temporary audit policy,

How to Manually Configure a Master KDC

add_drv command, description,

Device Policy Commands

adding

administration principals (Kerberos)

How to Configure a KDC to Use an LDAP Data Server

allocatable device,

How to Enable Device Allocation

audcontrol role,

RBAC Database Relationships

audit classes

audit file systems,

audit policy,

auditing

of individual users

How to Lessen the Volume of Audit Records That Are Produced

of roles,

How to Audit Roles

of zones,

Planning Oracle Solaris Auditing (Tasks)

cryptomgt role,

How to Assign a Role

DH authentication to mounted file systems,

Administering Authentication With Secure RPC

dial-up passwords,

How to Create a Dial-Up Password

hardware provider mechanisms and features,

How to Disable Hardware Provider Mechanisms and Features

library plugin,

How to Make root User Into a Role

local user,

new rights profile,

PAM modules,

How to Add a PAM Module

plugins

auditing

cryptographic framework,

How to Manage Third-Party Plugins in KMF

KMF,

privileged users,

How to Create a Privileged User

privileges

directly to user or role,

How to Assign Privileges to a User or Role

to command,

How to Add Privileges to a Command

RBAC properties

to legacy applications,

roles,

How to Create a Role

security attributes

to legacy applications,

How to Change the Properties of a Role

to roles,

to users,

How to Change the RBAC Properties of a User

security-related role,

How to Assign a Role

security to devices

How to Change the Device Policy on an Existing Device

Managing Device Allocation

security to system hardware,

How to Require a Password for Hardware Access

service principal to keytab file (Kerberos),

How to Add a Kerberos Service Principal to a Keytab File

software provider,

temporary audit policy,

user-level software provider,

How to Manually Configure a Master KDC

admin_server section

krb5.conf file

How to Configure a KDC to Use an LDAP Data Server

administering

auditing

audit -s command

audit -t command,

audit classes,

audit events,

audit files,

Audit Records and Audit Tokens

audit records,

audit_remote plugin,

audit_syslog plugin,

audit trail overflow prevention,

auditconfig command

auditreduce command,

Configuring the Audit Service (Task Map)

configuring,

cost control,

Controlling Auditing Costs

description,

How is Auditing Configured?

disabling,

efficiency,

Auditing Efficiently

enabling,

policy,

praudit command,

queue controls,

Cost of Storage of Audit Data

reducing space requirements,

refreshing,

resetting to defaults,

rights profiles required,

Oracle Solaris Auditing (Task Map)

task map,

in zones

Auditing on a System With Zones

Configuring the Audit Service in Zones (Tasks)

zones,

auditing in zones,

How to Plan Auditing in Zones

cryptographic framework and zones,

Cryptographic Services and Zones

cryptographic framework commands,

Administrative Commands in the Oracle Solaris Cryptographic Framework

cryptographic framework task map,

Administering the Cryptographic Framework

device allocation,

Managing Device Allocation (Task Map)

device policy,

Configuring Device Policy (Task Map)

dial-up logins,

How to Create a Dial-Up Password

file permissions

Protecting Files (Task Map)

Protecting Files With UNIX Permissions (Task Map)

Kerberos

keytabs,

Administering Keytab Files

policies,

Administering Kerberos Policies

principals,

Administering Kerberos Principals

metaslot,

Administrative Commands in the Oracle Solaris Cryptographic Framework

NFS client-server file security,

Implementation of Diffie-Hellman Authentication

password algorithms,

Changing the Password Algorithm (Task Map)

privileges,

Managing Privileges (Task Map)

RBAC properties,

How to Generate a Public/Private Key Pair for Use With Solaris Secure Shell

remote logins with Solaris Secure Shell,

rights profiles,

How to Enable a User to Use Own Password to Assume a Role

of a user,

role password,

How to Change the Password of a Role

roles to replace superuser,

How to Plan Your RBAC Implementation

Secure RPC task map,

Administering Secure RPC (Task Map)

security properties

of a legacy application,

of a rights profile,

How to Change the Password of a Role

of a role

How to Enable a User to Use Own Password to Assume a Role

How to Change the Properties of a Role

of a user,

How to Change the RBAC Properties of a User

Solaris Secure Shell

clients,

Client Configuration in Solaris Secure Shell

overview,

A Typical Solaris Secure Shell Session

servers,

Server Configuration in Solaris Secure Shell

task map,

Configuring Solaris Secure Shell (Task Map)

user password to assume role,

How to Enable a User to Use Own Password to Assume a Role

user password to use rights profile,

How to Enable a User to Use Own Password to Assume a Role

without privileges,

Administrative Differences on a System With Privileges

administrative (old) audit class,

administrative audit class,

How to Restrict an Administrator to Explicitly Assigned Rights

administrators, restricting rights,

AES kernel provider,

How to List Available Providers

aes128-cbc encryption algorithm, ssh_config file,

aes128-ctr encryption algorithm, ssh_config file,

How to Reduce Password Prompts in Solaris Secure Shell

agent daemon, Solaris Secure Shell,

ahlt audit policy

description,

setting,

Audit Policies for Asynchronous and Synchronous Events

with cnt policy,

algorithms

definition in cryptographic framework,

Terminology in the Oracle Solaris Cryptographic Framework

listing in the cryptographic framework,

How to List Available Providers

password

configuration,

How to Specify an Algorithm for Password Encryption

password encryption,

Password Encryption

All (RBAC), rights profile,

All Rights Profile

all audit class

caution for using,

description,

allhard string, audit_warn script,

allocate command

allocate error state,

Allocate Error State

authorizations required

description,

tape drive,

How to Authorize Users to Allocate a Device

user authorization,

using,

allocate error state,

Allocate Error State

allocating devices

by users,

Forcibly Allocating a Device

forcibly,

task map,

Allocating Devices (Task Map)

troubleshooting,

AllowGroups keyword, sshd_config file,

How to Configure Port Forwarding in Solaris Secure Shell

AllowTcpForwarding keyword

changing,

sshd_config file,

AllowUsers keyword, sshd_config file,

allsoft string, audit_warn script,

Solaris Secure Shell and Login Environment Variables

ALTSHELL in Solaris Secure Shell,

always-audit classes, process preselection mask,

Assigning a Restricted Shell to Users

analysis, praudit command,

praudit Command

antivirus software, See virus scanning

appending arrow (>>), preventing appending,

application audit class,

Configuring Kerberos Network Application Servers

application server, configuring,

arcfour encryption algorithm, ssh_config file,

How to List Available Providers

ARCFOUR kernel provider,

Archive tape drive device-clean script,

device_allocate File

archiving, audit files,

arge audit policy

and exec_env token,

exec_env Token

description,

setting,

argument audit token, format,

argument Token

argv audit policy

and exec_args token,

exec_args Token

description,

setting,

How to Add Privileges to a Command

assigning

privileges to commands in a rights profile,

privileges to commands in a script,

How to Run a Shell Script With Privileged Commands

privileges to user or role,

How to Assign Privileges to a User or Role

rights profile

to a role,

How to Change the Properties of a Role

role to a user locally,

How to Assign a Role

assuming role

how to,

Configuring and Using RBAC

in a terminal window,

How to Assume a Role

root,

How to Assume a Role

System Administrator,

How to Assume a Role

asterisk (*)

checking for in RBAC authorizations,

Authorization Naming Conventions

device_allocate file

device_allocate File

wildcard character

in RBAC authorizations,

asynchronous audit events

Audit Policies for Asynchronous and Synchronous Events

at command, authorizations required,

at sign (@), device_allocate file,

device_allocate File

atq command, authorizations required,

RBAC Database Relationships

attribute audit token,

attribute Token

attributes, keyword in BART,

Rules File Attributes

audcontrol role,

audio devices, security,

Device-Clean Scripts

audit -s command

audit -t command,

audit_binfile plugin,

getting attributes

limiting audit file size,

removing queue size,

setting attributes,

setting free space warning,

audit characteristics

audit ID,

processes,

session ID,

terminal ID,

user process preselection mask,

audit_class file

adding a class,

description,

audit_class File

troubleshooting,

audit class preselection, effect on public objects,

audit classes

adding,

configuration,

Audit Classes

definitions,

description

displaying defaults,

exceptions to system-wide settings,

mapping events,

modifying default,

overview,

post-selection,

prefixes,

preselecting

for failure

for success

for success and failure,

preselection,

process preselection mask,

replacing,

syntax

user exceptions,

audit command

description,

audit Command

refreshing audit service,

-s option,

Audit Configuration rights profile,

auditing a role,

How to Audit Roles

configuring audit policy,

displaying auditing defaults,

preselecting audit classes,

RBAC Database Relationships

Audit Control rights profile

disabling audit service,

enabling audit service,

refreshing audit service,

audit directory

creating file systems for,

default root directory,

description,

sample structure,

How to Change an Audit Event's Class Membership

audit_event file

changing class membership,

description,

How to Prevent the Auditing of Specific Events

removing events safely,

audit event-to-class mappings, changing,

How to Change an Audit Event's Class Membership

audit events

asynchronous,

Audit Policies for Asynchronous and Synchronous Events

audit_event file,

How to Change an Audit Event's Class Membership

changing class membership,

description,

mapping to classes,

How to Prevent the Auditing of Specific Events

removing from audit_event file,

selecting from audit trail,

selecting from audit trail in zones,

summary,

Audit Policies for Asynchronous and Synchronous Events

synchronous,

viewing from binary files,

audit files

auditreduce command,

combining

How to Compress Audit Files on a Dedicated File System

compressing on disk,

copying messages to single file,

creating summary files

How to Limit the Size of Binary Audit Files

limiting size of,

managing,

Binary Audit File Timestamps

names

Binary Audit File Names

printing,

reading with praudit,

reducing

Cost of Storage of Audit Data

reducing space requirements,

reducing storage-space requirements,

Auditing Efficiently

setting aside disk space for,

Binary Audit File Timestamps

time stamps

ZFS file systems

How to Compress Audit Files on a Dedicated File System

audit flags, summary,

audit_flags keyword

specifying user exceptions to audit preselection,

using caret (^) prefix,

audit ID

mechanism,

overview,

What Is Auditing?

audit logs

See also audit files

comparing binary and textual,

Audit Logs

configuring,

Configuring Audit Logs

configuring text summary audit logs,

modes,

Audit Logs

audit.notice entry, syslog.conf file,

audit plugins

audit_binfile plugin

audit_remote plugin,

audit_syslog plugin,

description,

qsize attribute,

summary,

Audit Plugins

audit policy

audit tokens from,

defaults,

description,

displaying defaults,

effects of,

public,

setting,

setting ahlt,

setting arge,

setting argv,

Auditing on a System With Zones

setting in global zone

setting perzone,

that does not affect tokens,

tokens added by,

How to Update a User's Preselection Mask

audit preselection mask

modifying for existing users,

modifying for individual users,

audit queue, events included,

audit queue controls

displaying defaults,

getting,

audit records

audit directories full,

converting to readable format

praudit Command

copying to single file,

description,

displaying,

displaying definitions of

procedure,

displaying formats of

summary,

auditrecord Command

displaying formats of a program,

displaying formats of an audit class,

displaying in XML format,

events that generate,

How Does Auditing Work?

format,

Audit Record Structure

formatting example,

merging,

Audit Records and Audit Tokens

overview,

reducing audit files,

sequence of tokens,

Audit Record Structure

/var/adm/auditlog file,

audit_remote plugin,

getting attributes,

setting attributes,

Audit Review rights profile,

audit service

See also auditing

configuring policy,

configuring queue controls,

Oracle Solaris Audit Service

defaults,

disabling,

enabling

audit Command

policy,

refreshing the kernel,

resetting to defaults,

How to Determine That Oracle Solaris Auditing Is Running

troubleshooting,

audit session ID,

audit_syslog plugin,

setting attributes,

audit tokens

See also individual audit token names

added by audit policy,

audit record format,

Audit Record Structure

description

Audit Records and Audit Tokens

format,

Audit Token Formats

list of,

Audit Token Formats

audit trail

adding disk space,

Cost of Analysis of Audit Data

analysis costs,

analysis with praudit command,

praudit Command

cleaning up not terminated files,

How to Clean Up a not_terminated Audit File

creating

summary files

description,

effect of audit policy,

merging all files,

monitoring in real time,

Auditing Efficiently

no public objects,

overview,

How Does Auditing Work?

preventing overflow,

How to Lessen the Volume of Audit Records That Are Produced

reducing size of

How to Compress Audit Files on a Dedicated File System

selecting events from,

sending files to remote repository,

viewing events from,

viewing events from different zones,

audit utilization audit class,

audit_warn script

conditions invoking,

How to Configure the audit_warn Email Alias

configuring,

description,

strings,

auditconfig command

adding audit directories,

audit classes as arguments,

configuring policy,

configuring queue controls,

description,

auditconfig Command

displaying audit defaults,

-getplugin option

policy options,

prefixes for classes,

preselecting audit classes,

queue control options,

sending files to remote repository,

-setflags option,

-setnaflags option,

-setplugin option

setting active audit policy,

setting audit_binfile attributes,

setting audit policy,

setting audit policy temporarily,

setting audit_remote attributes,

setting system-wide audit parameters,

viewing default audit preselection,

auditd daemon

audit trail creation,

Audit Trail

audit_warn script

description

refreshing audit service

refreshing the kernel,

auditing

all commands by users,

Oracle Solaris Auditing Enhancements in the Oracle Solaris 11 Express Release

changes in current release,

changes in device policy,

How to Audit Changes in Device Policy

configuring

all zones,

Configuring the Audit Service (Tasks)

global zone,

How to Configure All Zones Identically for Auditing

identically for all zones,

per zone,

How to Configure Per-Zone Auditing

configuring in global zone,

How to Plan Auditing in Zones

defaults,

Oracle Solaris Audit Service

determining if running,

How to Determine That Oracle Solaris Auditing Is Running

device allocation,

How to Audit Device Allocation

disabling,

enabling,

How to Find Audit Records of Changes to Specific Files

finding changes to specific files,

getting queue controls,

hosts database prerequisite,

How to Audit Logins From Other Operating Systems

logins,

planning,

Planning Oracle Solaris Auditing (Tasks)

planning in zones

How to Plan Auditing in Zones

plugin modules,

post-selection definition,

prerequisite

hosts database correctly configure,

preselection definition,

privileges and,

Privileges and Auditing

removing user-specific audit flags,

resetting to defaults,

rights profiles for,

roles,

How to Audit Roles

setting queue controls,

How to Audit FTP and SFTP File Transfers

sftp file transfers,

troubleshooting,

Troubleshooting the Audit Service (Task Map)

troubleshooting praudit command,

updating information

users only,

Auditing on a System With Zones

zones and

auditlog file, text audit records,

auditrecord command

[] (square brackets) in output,

Audit Record Analysis

description,

auditrecord Command

displaying audit record definitions,

example,

listing all formats,

listing formats of class,

listing formats of program,

optional tokens ([]),

Audit Record Analysis

auditreduce command,

-A option,

-b option,

-C option,

-c option

How to Clean Up a not_terminated Audit File

cleaning up audit files,

-D option,

-d option,

description,

-e option,

examples,

filtering options,

finding events in a specified file,

-M option,

merging audit records,

-O option

options,

selecting audit records,

Binary Audit File Timestamps

timestamp use,

trailer tokens, and,

trailer Token

using lowercase options,

using uppercase options,

without options,

Databases That Support RBAC

auditstat command, description,

auditstat Command

auth_attr database

description,

auth_attr Database

summary,

AUTH_DES authentication, See AUTH_DH authentication

AUTH_DH authentication, and NFS,

NFS Services and Secure RPC

authentication

AUTH_DH client-server session,

Implementation of Diffie-Hellman Authentication

configuring cross-realm,

Configuring Cross-Realm Authentication

description,

Diffie-Hellman Authentication and Secure RPC

DH authentication,

disabling with -X option,

What Is the Kerberos Service?

Kerberos and,

naming services,

Overview of Secure RPC

network security,

How to Share NFS Files With Diffie-Hellman Authentication

NFS-mounted files

overview of Kerberos,

How the Kerberos Authentication System Works

Secure RPC,

Overview of Secure RPC

Solaris Secure Shell

methods,

Authentication and Key Exchange in Solaris Secure Shell

process,

terminology,

Authentication-Specific Terminology

types,

NFS Services and Secure RPC

use with NFS,

authentication methods

GSS-API credentials in Solaris Secure Shell,

host-based in Solaris Secure Shell

How to Set Up Host-Based Authentication for Solaris Secure Shell

keyboard-interactive in Solaris Secure Shell,

password in Solaris Secure Shell,

public keys in Solaris Secure Shell,

Solaris Secure Shell,

Authentication-Specific Terminology

authenticator

in Kerberos

Obtaining a Credential for a Server

authlog file, saving failed login attempts,

How to Monitor All Failed Login Attempts

authorizations

device allocation,

Device Allocation Rights Profiles

Kerberos and,

What Is the Kerberos Service?

troubleshooting,

How to Troubleshoot RBAC and Privilege Assignment

types,

authorizations (RBAC)

checking for wildcards,

Applications That Check Authorizations

checking in privileged application,

commands that require authorizations,

Databases That Support RBAC

database

auth_attr Database

definition,

RBAC Authorizations

delegating,

Delegation Authority in Authorizations

description

Oracle Solaris RBAC Elements and Basic Concepts

Authorization Naming and Delegation

for allocating device,

How to Authorize Users to Allocate a Device

for device allocation,

Example of Authorization Granularity

granularity,

naming convention,

Authorization Naming Conventions

not requiring for device allocation,

How to Change Which Devices Can Be Allocated

solaris.device.allocate

How to Authorize Users to Allocate a Device

solaris.device.revoke,

Solaris Secure Shell Files

authorized_keys file, description,

AuthorizedKeysFile keyword, sshd_config file,

Commands That Manage RBAC

auths command, description,

AUTHS_GRANTED keyword, policy.conf file,

policy.conf File

auto_transition option, SASL and,

SASL Options

automatic login

disabling,

enabling,