Securing the System

The following tasks are best performed in order. At this point, the Oracle Solaris OS is installed and only the initial user who can assume the root role has access to the system.

Task	Description	For Instructions
1. Verify the packages on the system.	Checks that the packages from the installation media are identical to the installed packages.	How to Verify Your Packages
2. Safeguard the hardware settings on the system.	Protects hardware by requiring a password to change hardware settings.	Controlling Access to System Hardware (Tasks) in Oracle Solaris 11.1 Administration: Security Services
3. Disable unneeded services.	Prevents processes that are not part of the system's required functions from running.	How to Disable Unneeded Services
5. Prevent the workstation owner from powering down the system.	Prevents the Console User from shutting down or suspending the system.	How to Remove Power Management Capability From Users
6. Create a login warning message that reflects your site's security policy.	Notifies users and would-be attackers that the system is monitored.	How to Place a Security Message in Banner Files How to Place a Security Message on the Desktop Login Screen

How to Verify Your Packages

Immediately after installation, validate the installation by verifying your packages.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

Run the pkg verify command.
To keep a record, send the command output to a file.
```
# pkg verify > /var/pkgverifylog
```
Review the log for any errors.
If you find errors, reinstall from the media or fix the errors.

How to Disable Unneeded Services

Use this procedure to disable services that are not required, given the purpose of your system.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

List the online services.

# svcs | grep network
online         Sep_07   svc:/network/loopback:default
...
online         Sep_07   svc:/network/ssh:default

Disable the services that are not required by this system.
For example, if the system is not an NFS server or a web server and the services are online, disable them.
```
# svcadm disable svc:/network/nfs/server:default
# svcadm disable svc:/network/http:apache22
```

How to Remove Power Management Capability From Users

Use this procedure to prevent users of this system from suspending the system or powering it down.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

Review the contents of the Console User rights profile.

% getent prof_attr | grep Console
Console User:RO::Manage System as the Console User:
profiles=Desktop Removable Media User,Suspend To RAM,Suspend To Disk,
Brightness,CPU Power Management,Network Autoconf User;
auths=solaris.system.shutdown;help=RtConsUser.html

Create a rights profile that includes any rights in the Console User profile that you want users to retain.
For instructions, see How to Create a Rights Profile in Oracle Solaris 11.1 Administration: Security Services.
Comment out the Console User rights profile in the /etc/security/policy.conf file.
```
#CONSOLE_USER=Console User
```
Assign users the rights profile that you created in Step 2.
```
# usermod -P +new-profile username
```

How to Place a Security Message in Banner Files

Use this procedure to create security messages in two banner files that reflect your site's security policy. The contents of these banner files display at local and remote login.

Note - The sample messages in this procedure do not satisfy U.S. government requirements and likely do not satisfy your security policy. Best practice is to consult with your company's legal counsel about the content of the security message.

Before You Begin

You must become an administrator who is assigned the Administrator Message Edit rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

Add a security message to the /etc/issue file.
```
$ pfedit /etc/issue
      ALERT   ALERT   ALERT   ALERT   ALERT

This machine is available to authorized users only.

If you are an authorized user, continue. 

Your actions are monitored, and can be recorded.
```
The login command displays the contents of /etc/issue before authentication, as do the the telnet and FTP services. To enable other applications to use this file, see How to Display a Security Message to ssh Users and How to Place a Security Message on the Desktop Login Screen.
For more information, see the issue(4) and pfedit(1M) man pages.
Add a security message to the /etc/motd file.
```
$ pfedit /etc/motd
This system serves authorized users only. Activity is monitored and reported.
```
In Oracle Solaris, the user's initial shell displays the contents of the /etc/motd file.

How to Place a Security Message on the Desktop Login Screen

Choose from several methods to create a security message for users to review at login.

For more information, click the System → Help menu from the desktop to bring up the GNOME Help Browser. You can also use the yelp command. Desktop login scripts are discussed in the GDM Login Scripts and Session Files section of the gdm(1M) man page.

Note - The sample message in this procedure does not satisfy U.S. government requirements and likely does not satisfy your security policy. Best practice is to consult with your company's legal counsel about the content of the security message.

Before You Begin

To create a file, you must assume the root role. To modify an existing file, you must become an administrator who is assigned the solaris.admin.edit/path-to-existing-file authorization.

Place a security message on the desktop login screen by using one of the following three options:
The options that create a dialog box can use the security message in the /etc/issue file from Step 1 of How to Place a Security Message in Banner Files.
- OPTION 1: Create a desktop file that displays the security message in a dialog box at login.
```
# pfedit /usr/share/gdm/autostart/LoginWindow/banner.desktop
[Desktop Entry]
Type=Application
Name=Banner Dialog
Exec=/usr/bin/zenity --text-info --width=800 --height=300 \
--title="Security Message" \
--filename=/etc/issue
OnlyShowIn=GNOME;
X-GNOME-Autostart-Phase=Application
```
  After being authenticated in the login window, the user must close the dialog box to reach the workspace. For the options to the zenity command, see the zenity(1) man page.
- OPTION 2: Modify a GDM initialization script to display the security message in a dialog box.
  The /etc/gdm directory contains three initialization scripts that display the security message before, during, or immediately after desktop login. These scripts are also available in the Oracle Solaris 10 release.
  - Display the security message before the login screen appears.
```
$ pfedit /etc/gdm/Init/Default
/usr/bin/zenity --text-info --width=800 --height=300 \
--title="Security Message"  --filename=/etc/issue
```
    For information about editing system files as a non-root user, see the pfedit(1M) man page.
  - Display the security message in the user's initial workspace after authentication.
```
$ pfedit /etc/gdm/PreSession/Default
/usr/bin/zenity --text-info --width=800 --height=300 \
--title="Security Message"  --filename=/etc/issue
```
    Note - The dialog box can be covered by windows in the user's workspace.
- OPTION 3: Modify the login window to display the security message above the entry field.
  The login window expands to fit your message. This method does not point to the /etc/issue file. You must type the text into the GUI.
  
  Note - The login window, gdm-greeter-login-window.ui, is overwritten by the pkg fix and pkg update commands. To preserve your changes, copy the file to a configuration files directory, and merge its changes with the new file after upgrading the system. For more information, see the pkg(5) man page.
  1. Change directory to the login window user interface.
```
# cd /usr/share/gdm
```
  2. (Optional) Save a copy of the original login window UI.
```
# cp gdm-greeter-login-window.ui /etc/gdm/gdm-greeter-login-window.ui.orig
```
  3. Add a label to the login window by using the GNOME Toolkit interface designer.
    The glade-3 program opens the GTK+ interface designer. You type the security message into a label that displays above the user entry field.
```
# /usr/bin/glade-3 /usr/share/gdm/gdm-greeter-login-window.ui
```
    To review the guide for the interface designer, click Development in the GNOME Help Browser. The glade-3(1) man page is listed under Applications in the Manual Pages.
  4. (Optional) Save a copy of the modified login window UI.
```
# cp gdm-greeter-login-window.ui /etc/gdm/gdm-greeter-login-window.ui.site
```

Example 2-1 Creating a Short Warning Message at Desktop Login

In this example, the administrator types a short message as an argument to the zenity command in the desktop file. The administrator also uses the --warning option, which displays a warning icon with the message.

# pfedit /usr/share/gdm/autostart/LoginWindow/bannershort.desktop
[Desktop Entry]
Type=Application
Name=Banner Dialog
Exec=/usr/bin/zenity --warning --width=800  --height=150 --title="Security Message" \
--text="This system serves authorized users only. Activity is monitored and reported."
OnlyShowIn=GNOME;
X-GNOME-Autostart-Phase=Application

Skip Navigation Links
Exit Print View
	Oracle Solaris 11 Security Guidelines Oracle Solaris 11.1 Information Library