JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Security Services     Oracle Solaris 10 8/11 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Controlling Access to Devices (Tasks)

Configuring Devices (Task Map)

Configuring Device Policy (Task Map)

Configuring Device Policy

How to View Device Policy

How to Change the Device Policy on an Existing Device

How to Audit Changes in Device Policy

How to Retrieve IP MIB-II Information From a /dev/* Device

Managing Device Allocation (Task Map)

Managing Device Allocation

How to Make a Device Allocatable

How to Authorize Users to Allocate a Device

How to View Allocation Information About a Device

Forcibly Allocating a Device

Forcibly Deallocating a Device

How to Change Which Devices Can Be Allocated

How to Audit Device Allocation

Allocating Devices (Task Map)

Allocating Devices

How to Allocate a Device

How to Mount an Allocated Device

How to Deallocate a Device

Device Protection (Reference)

Device Policy Commands

Device Allocation

Components of Device Allocation

Device Allocation Commands

Allocate Error State

device_maps File

device_allocate File

Device-Clean Scripts

5.  Using the Basic Audit Reporting Tool (Tasks)

6.  Controlling Access to Files (Tasks)

7.  Using the Automated Security Enhancement Tool (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Role-Based Access Control (Reference)

11.  Privileges (Tasks)

12.  Privileges (Reference)

Part IV Cryptographic Services

13.  Oracle Solaris Cryptographic Framework (Overview)

14.  Oracle Solaris Cryptographic Framework (Tasks)

15.  Oracle Solaris Key Management Framework

Part V Authentication Services and Secure Communication

16.  Using Authentication Services (Tasks)

17.  Using PAM

18.  Using SASL

19.  Using Oracle Solaris Secure Shell (Tasks)

20.  Oracle Solaris Secure Shell (Reference)

Part VI Kerberos Service

21.  Introduction to the Kerberos Service

22.  Planning for the Kerberos Service

23.  Configuring the Kerberos Service (Tasks)

24.  Kerberos Error Messages and Troubleshooting

25.  Administering Kerberos Principals and Policies (Tasks)

26.  Using Kerberos Applications (Tasks)

27.  The Kerberos Service (Reference)

Part VII Oracle Solaris Auditing

28.  Oracle Solaris Auditing (Overview)

29.  Planning for Oracle Solaris Auditing

30.  Managing Oracle Solaris Auditing (Tasks)

31.  Oracle Solaris Auditing (Reference)

Glossary

Index

Configuring Device Policy

Device policy restricts or prevents access to devices that are integral to the system. The policy is enforced in the kernel.

How to View Device Policy

Example 4-1 Viewing the Device Policy for a Specific Device

In this example, the device policy for three devices is displayed.

% getdevpolicy /dev/allkmem /dev/ipsecesp /dev/hme
/dev/allkmem
        read_priv_set=all
        write_priv_set=all
/dev/ipsecesp
        read_priv_set=sys_net_config
        write_priv_set=sys_net_config
/dev/hme
        read_priv_set=net_rawaccess
        write_priv_set=net_rawaccess

How to Change the Device Policy on an Existing Device

  1. Assume a role that includes the Device Security rights profile, or become superuser.

    The Primary Administrator role includes the Device Security rights profile. You can also assign the Device Security rights profile to a role that you create. To create the role and assign the role to a user, see Example 9-3.

  2. Add policy to a device.
    # update_drv -a -p policy device-driver
    -a

    Specifies a policy for device-driver.

    -p policy

    Is the device policy for device-driver. Device policy specifies two sets of privileges. One set is required to read the device. The other set is required to write to the device.

    device-driver

    Is the device driver.

    For more information, see the update_drv(1M) man page.

Example 4-2 Adding Policy to an Existing Device

In the following example, device policy is added to the ipnat device.

# getdevpolicy /dev/ipnat
/dev/ipnat
        read_priv_set=none
        write_priv_set=none
# update_drv -a \
-p 'read_priv_set=net_rawaccess write_priv_set=net_rawaccess' ipnat
# getdevpolicy /dev/ipnat
/dev/ipnat
        read_priv_set=net_rawaccess
        write_priv_set=net_rawaccess

Example 4-3 Removing Policy From a Device

In the following example, the read set of privileges is removed from the device policy for the ipnat device.

# getdevpolicy /dev/ipnat
/dev/ipnat
        read_priv_set=net_rawaccess
        write_priv_set=net_rawaccess
# update_drv -a -p write_priv_set=net_rawaccess ipnat
# getdevpolicy /dev/ipnat
/dev/ipnat
        read_priv_set=none
        write_priv_set=net_rawaccess

How to Audit Changes in Device Policy

By default, the as audit class includes the AUE_MODDEVPLCY audit event.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Preselect the audit class that includes AUE_MODDEVPLCY audit event.

    Add the as class to the flags line of the audit_control file. The file would appear similar to the following:

    # audit_control file
    dir:/var/audit
    flags:lo,as
    minfree:20
    naflags:lo

    For detailed instructions, see How to Modify the audit_control File.

How to Retrieve IP MIB-II Information From a /dev/* Device

Applications that retrieve Oracle Solaris IP MIB-II information should open /dev/arp, not /dev/ip.

  1. Determine the device policy on /dev/ip and /dev/arp.
    % getdevpolicy /dev/ip /dev/arp
    /dev/ip
            read_priv_set=net_rawaccess
            write_priv_set=net_rawaccess
    /dev/arp
            read_priv_set=none
            write_priv_set=none

    Note that the net_rawaccess privilege is required for reading and writing to /dev/ip. No privileges are required for /dev/arp.

  2. Open /dev/arp and push the tcp and udp modules.

    No privileges are required. This method is equivalent to opening /dev/ip and pushing the arp, tcp and udp modules. Because opening /dev/ip now requires a privilege, the /dev/arp method is preferred.