New Feature – Enabling the account-policy Service - Securing Users and Processes in Oracle® Solaris 11.4

Language:

New Feature – Enabling the `account-policy` Service

In Oracle Solaris 11.4, you can set the default rights for a system in SMF.

In legacy systems, you edited files in the /etc directory. When you use SMF, properties of the account-policy indicate the current policies. The security policies are grouped into four stencils:

config/etc_security_policyconf
config/etc_default_login
config/etc_default_passwd
config/etc_default_su

When you enable a stencil, you are then able to modify the security attributes that are in that stencil.

To enable the service and verify that it is in effect, run the following commands:

$ pfexec svcadm enable account-policy
$ svcs account-policy
STATE          STIME    FMRI
online         0:10:00  svc:/system/account-policy:default

Then, you enable the security attribute to be changed and then change its value to your site policy.

$ pfbash svccfg -s account-policy  \
 setprop config/etc_security-stencil/disabled = boolean: false 
 $ svccfg -s account-policy:default  \
 setprop security-stencil-group/property = [type:] value
$ svcadm refresh account-policy

Note - When the account-policy: default SMF service is online, changes to the legacy files, such as /etc/default/login, no longer affect the rights that the system enforces. Similarly, the contents of the files might not reflect current policy.

The rights that you can modify system-wide include the following:

Modifying Login Environment Variables
Modifying Login Policy
Modifying Password Policy
Modifying System-Wide Privileges, Authorizations, and Rights Profiles
Modifying Logging Policy

For a list of security attributes that you can modify system-wide, see Security Attributes in Files and Their Corresponding SMF Properties.