In this section, you change the default umask value for all users, prevent malicious login attempts by limiting failed logins, and remove the ability of console users to shut down the system. You can limit failed login attempts per system, per user, or through a rights profile. For a discussion of password constraints, see Passwords and Password Policy in Oracle Solaris 11.3 Security and Hardening Guidelines.
The umask utility sets the file permission bits of user-created files. If the default umask value, 022, is not restrictive enough, set a more restrictive mask by using this procedure.
Before You Begin
You must become an administrator who is authorized to edit the skeleton files. The root role is assigned these authorizations. For more information, see Using Your Assigned Administrative Rights.
# ls -1a /etc/skel .bashrc .profile local.cshrc local.login local.profile
Choose one of the following values:
umask 026 – Provides moderate file protection
(751) – r for group, x for others
umask 027 – Provides strict file protection
(750) – r for group, no access for others
umask 077 – Provides complete file protection
(700) – No access for group or others
See Also
For more information, see the following:
Default umask Value in Securing Files and Verifying File Integrity in Oracle Solaris 11.3
Selected man pages include useradd(1M) and umask(1).
Use this procedure to lock regular user accounts after a certain number of failed login attempts. You can set account locking per user, per system, or for selected users through a rights profile.
Before You Begin
Do not set this protection system-wide on a system that you use for administrative activities. Rather, monitor the administrative system for unusual use and keep it available for administrators.
You must assume the root role. For more information, see Using Your Assigned Administrative Rights.
Choose the scope of the attribute value.
This protection applies to any user who attempts to use the system.
# pfedit /etc/security/policy.conf ... #LOCK_AFTER_RETRIES=NO LOCK_AFTER_RETRIES=YES ...
This protection applies only to the user for whom you run this command. If you have many users, this is not a scalable solution.
# usermod -K lock_after_retries=yes username
This protection applies to any user or system where you assign this rights profile.
# profiles -p shared-profile -S ldap shared-profile: set lock_after_retries=yes ...
For more information about creating rights profiles, see Creating Rights Profiles and Authorizations.
If you have many users that share a rights profile, setting this value in a rights profile can be a scalable solution.
# usermod -P shared-profile username
You can also assign the profile per system in the policy.conf file.
# pfedit /etc/security/policy.conf ... #PROFS_GRANTED=Basic Solaris User PROFS_GRANTED=shared-profile,Basic Solaris User
Choose the scope of the attribute value.
# pfedit /etc/default/login ... #RETRIES=5 RETRIES=3 ...
# usermod -K lock_after_retries=3 username
Review Creating Rights Profiles and Authorizations and create a rights profile that includes lock_after_retries=3.
# passwd -u username
A user who is locked out cannot log in without administrative intervention. You can unlock user accounts in both the files and ldap naming services.
See Also
For a discussion of user and role security attributes, see Reference for Oracle Solaris Rights.
Selected man pages include passwd(1), policy.conf(4), profiles(1), user_attr(4), and usermod(1M).
Use this procedure to prevent users on the console of a system from suspending the system or powering it down. This software solution is not effective if the system hardware can be unplugged by the console user.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights.
$ profiles -p "Console User" info name=Console User desc=Manage System as the Console User auths=solaris.system.shutdown,solaris.device.cdrw, solaris.smf.manage.vbiosd,solaris.smf.value.vbiosd profiles=Suspend To RAM,Suspend To Disk,Brightness,CPU Power Management, Network Autoconf User
For instructions, see How to Create a Rights Profile.
The following is a sample replacement profile:
$ profiles -p "Site Console User" info name=Site Console User desc=Read devices and control brightness on the console auths=solaris.device.cdrw, profiles=Brightness,CPU Power Management,Network Autoconf User
#CONSOLE_USER=Console User
Assign this rights profile to users.
# usermod -P shared-profile username
You can also assign the profile per system in the policy.conf file.
# pfedit /etc/security/policy.conf... #PROFS_GRANTED=Basic Solaris User PROFS_GRANTED=shared-profile,Basic Solaris User
See Also
For more information, see policy.conf File and the policy.conf(4) and usermod(1M) man pages.