JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11.1 Administration: Security Services     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

Configuring Device Policy (Tasks)

Configuring Device Policy (Task Map)

How to View Device Policy

How to Audit Changes in Device Policy

How to Retrieve IP MIB-II Information From a /dev/* Device

Managing Device Allocation (Tasks)

Managing Device Allocation (Task Map)

How to Enable Device Allocation

How to Authorize Users to Allocate a Device

How to View Allocation Information About a Device

How to Forcibly Allocate a Device

How to Forcibly Deallocate a Device

How to Change Which Devices Can Be Allocated

How to Audit Device Allocation

Allocating Devices (Tasks)

How to Allocate a Device

How to Mount an Allocated Device

How to Deallocate a Device

Device Protection (Reference)

Device Policy Commands

Device Allocation

Components of Device Allocation

Device Allocation Service

Device Allocation Rights Profiles

Device Allocation Commands

Allocate Error State

device_maps File

device_allocate File

Device-Clean Scripts

6.  Verifying File Integrity by Using BART (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Using Pluggable Authentication Modules

15.  Using Secure Shell

16.  Secure Shell (Reference)

17.  Using Simple Authentication and Security Layer

18.  Network Services Authentication (Tasks)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)

Glossary

Index

Device Protection (Reference)

Devices in Oracle Solaris are protected by kernel device policy. Peripheral devices can be protected by device allocation. Device allocation is optionally enabled, and is enforced at the user level.

Device Policy Commands

Device management commands administer the device policy on local files. Device policy can include privilege requirements. Users who are assigned the Device Management and Device Security rights profiles can manage devices.

The following table lists the device management commands.

Table 5-1 Device Management Commands

Man Page for Command
Purpose
Administers devices and device drivers on a running system. Also loads device policy.

The devfsadm command enables the cleanup of dangling /dev links to disk, tape, port, audio, and pseudo devices. Devices for a named driver can also be reconfigured.

Displays the policy associated with one or more devices. This command can be run by any user.
Adds a new device driver to a running system. Contains options to add device policy to the new device. Typically, this command is called in a script when a device driver is being installed.
Updates the attributes of an existing device driver. Contains options to update the device policy for the device. Typically, this command is called in a script when a device driver is being installed.
Removes a device or device driver.

Device Allocation

Device allocation can protect your site from loss of data, computer viruses, and other security breaches. Unlike device policy, device allocation is optional. Device allocation uses authorizations to limit access to allocatable devices.

Components of Device Allocation

The components of the device allocation mechanism are as follows:

These commands and scripts use the following local files to implement device allocation:


Note - The /etc/security/dev directory might not be supported in future releases of Oracle Solaris.


Device Allocation Service

The svc:/system/device/allocate service controls device allocation. This service is off by default.

Device Allocation Rights Profiles

The Device Management and Device Security rights profiles are required to manage devices and device allocation.

These rights profiles include the following authorizations:

Device Allocation Commands

With uppercase options, the allocate, deallocate, and list_devices commands are administrative commands. Otherwise, these commands are user commands. The following table lists the device allocation commands.

Table 5-2 Device Allocation Commands

Man Page for Command
Purpose
Searches for an allocatable device by device type, by device name, and by full path name.
Lists the status of allocatable devices.

Lists all the device-special files that are associated with any device that is listed in the device_maps file.

With the -U option, lists the devices that are allocatable or allocated to the specified user ID. This option allows you to check which devices are allocatable or allocated to another user. You must have the solaris.device.revoke authorization.

Reserves an allocatable device for use by one user.

By default, a user must have the solaris.device.allocate authorization to allocate a device. You can modify the device_allocate file to not require user authorization. Then, any user on the system can request the device to be allocated for use.

Removes the allocation reservation from a device.
Authorizations for the Allocation Commands

By default, users must have the solaris.device.allocate authorization to reserve an allocatable device. To create a rights profile to include the solaris.device.allocate authorization, see How to Authorize Users to Allocate a Device.

Administrators must have the solaris.device.revoke authorization to change the allocation state of any device. For example, the -U option to the allocate and list_devices commands, and the -F option to the deallocate command require the solaris.device.revoke authorization.

For more information, see Selected Commands That Require Authorizations.

Allocate Error State

A device is put in an allocate error state when the deallocate command fails to deallocate, or when the allocate command fails to allocate. When an allocatable device is in an allocate error state, then the device must be forcibly deallocated. Only a user or role with the Device Management rights profile or the Device Security rights profile can handle an allocate error state.

The deallocate command with the -F option forces deallocation. Or, you can use allocate -U to assign the device to a user. Once the device is allocated, you can investigate any error messages that appear. After any problems with the device are corrected, you can forcibly deallocate it.

device_maps File

Device maps are created when you set up device allocation. The /etc/security/device_maps file includes the device names, device types, and device-special files that are associated with each allocatable device.

The device_maps file defines the device-special file mappings for each device, which in many cases is not intuitive. This file allows programs to discover which device-special files map to which devices. You can use the dminfo command, for example, to retrieve the device name, the device type, and the device-special files to specify when you set up an allocatable device. The dminfo command uses the device_maps file to report this information.

Each device is represented by a one-line entry of the form:

device-name:device-type:device-list

Example 5-11 Sample device_maps Entry

The following is an example of an entry in a device_maps file for a diskette drive, fd0:

fd0:\
fd:\
/dev/diskette /dev/rdiskette /dev/fd0a /dev/rfd0a \
/dev/fd0b /dev/rfd0b /dev/fd0c /dev/fd0 /dev/rfd0c /dev/rfd0:\

Lines in the device_maps file can end with a backslash (\) to continue an entry on the next line. Comments can also be included. A pound sign (#) comments all subsequent text until the next newline that is not immediately preceded by a backslash. Leading and trailing blanks are allowed in any field. The fields are defined as follows:

device-name

Specifies the name of the device. For a list of current device names, see How to View Allocation Information About a Device.

device-type

Specifies the generic device type. The generic name is the name for the class of devices, such as st, fd, rmdisk, or audio. The device-type field logically groups related devices.

device-list

Lists the device-special files that are associated with the physical device. The device-list must contain all of the special files that allow access to a particular device. If the list is incomplete, a malevolent user can still obtain or modify private information. Valid entries for the device-list field reflect the device files that are located in the /dev directory.

device_allocate File

You can modify the /etc/security/device_allocate file to change devices from allocatable to nonallocatable, or to add new devices. A sample device_allocate file follows.

st0;st;;;;/etc/security/lib/st_clean
fd0;fd;;;;/etc/security/lib/fd_clean
sr0;sr;;;;/etc/security/lib/sr_clean
audio;audio;;;*;/etc/security/lib/audio_clean

An entry in the device_allocate file does not mean that the device is allocatable, unless the entry specifically states that the device is allocatable. In the sample device_allocate file, note the asterisk (*) in the fifth field of the audio device entry. An asterisk in the fifth field indicates to the system that the device is not allocatable. Therefore, the device cannot be used. Other values or no value in this field indicates that the device can be used.

In the device_allocate file, each device is represented by a one-line entry of the form:

device-name;device-type;reserved;reserved;auths;device-exec

Lines in the device_allocate file can end with a backslash (\) to continue an entry on the next line. Comments can also be included. A pound sign (#) comments all subsequent text until the next newline that is not immediately preceded by a backslash. Leading and trailing blanks are allowed in any field. The fields are defined as follows:

device-name

Specifies the name of the device. For a list of current device names, see How to View Allocation Information About a Device.

device-type

Specifies the generic device type. The generic name is the name for the class of devices, such as st, fd, and sr. The device-type field logically groups related devices. When you make a device allocatable, retrieve the device name from the device-type field in the device_maps file.

reserved

Oracle reserves the two fields that are marked reserved for future use.

auths

Specifies whether the device is allocatable. An asterisk (*) in this field indicates that the device is not allocatable. An authorization string, or an empty field, indicates that the device is allocatable. For example, the string solaris.device.allocate in the auths field indicates that the solaris.device.allocate authorization is required to allocate the device. An at sign (@) in this file indicates that the device is allocatable by any user.

device-exec

Supplies the path name of a script to be invoked for special handling, such as cleanup and object-reuse protection during the allocation process. The device-exec script is run any time that the device is acted on by the deallocate command.

For example, the following entry for the sr0 device indicates that the CD-ROM drive is allocatable by a user with the solaris.device.allocate authorization:

sr0;sr;reserved;reserved;solaris.device.allocate;/etc/security/lib/sr_clean

You can decide to accept the default devices and their defined characteristics. After you install a new device, you can modify the entries. Any device that needs to be allocated before use must be defined in the device_allocate and device_maps files for that device's system. Currently, cartridge tape drives, diskette drives, CD-ROM drives, removable media devices, and audio chips are considered allocatable. These device types have device-clean scripts.


Note - Xylogics and Archive tape drives also use the st_clean script that is supplied for SCSI devices. You need to create your own device-clean scripts for other devices, such as terminals, graphics tablets, and other allocatable devices. The script must fulfill object-reuse requirements for that type of device.


Device-Clean Scripts

Device allocation satisfies part of what security auditors call the object reuse requirement. The device-clean scripts address the security requirement that all usable data be purged from a physical device before reuse. The data is cleared before the device is allocatable by another user. By default, cartridge tape drives, diskette drives, CD-ROM drives, and audio devices require device-clean scripts. Oracle Solaris provides the scripts. This section describes what device-clean scripts do.

Device-Clean Script for Tapes

The st_clean device-clean script supports three tape devices:

The st_clean script uses the rewoffl option to the mt command to clean up the device. For more information, see the mt(1) man page. If the script runs during system boot, the script queries the device to determine if the device is online. If the device is online, the script determines if the device has media in it. The ¼-inch tape devices that have media in them are placed in the allocate error state. The allocate error state forces the administrator to manually clean up the device.

During normal system operation, when the deallocate command is executed in interactive mode, the user is prompted to remove the media. Deallocation is delayed until the media is removed from the device.

Device-Clean Scripts for Diskettes and CD-ROM Drives

The following device-clean scripts are provided for diskettes and CD-ROM drives:

The scripts use the eject command to remove the media from the drive. If the eject command fails, the device is placed in the allocate error state. For more information, see the eject(1) man page.

Device-Clean Script for Audio

Audio devices are cleaned up with an audio_clean script. The script performs an AUDIO_GETINFO ioctl system call to read the device. The script then performs an AUDIO_SETINFO ioctl system call to reset the device configuration to the default.

Writing New Device-Clean Scripts

If you add more allocatable devices to the system, you might need to create your own device-clean scripts. The deallocate command passes a parameter to the device-clean scripts. The parameter, which is shown here, is a string that contains the device name. For more information, see the device_allocate(4) man page.

clean-script -[I|i|f|S] device-name

Device-clean scripts must return “0” for success and greater than “0” for failure. The options -I, -f, and -S determine the running mode of the script:

-I

Is needed during system boot only. All output must go to the system console. Failure or inability to forcibly eject the media must put the device in the allocate error state.

-i

Similar to the -I option, except that output is suppressed.

-f

Is for forced cleanup. The option is interactive and assumes that the user is available to respond to prompts. A script with this option must attempt to complete the cleanup if one part of the cleanup fails.

-S

Is for standard cleanup. The option is interactive and assumes that the user is available to respond to prompts.