- System Administration Guide: Security Services

How to Enable the Audit Service

-s command

audit -t command

How to Refresh the Audit Service

-s option, praudit command,

praudit Command

safe protection level,

Overview of Kerberized Commands

SASL

environment variable,

SASL Environment Variable

options,

SASL Options

overview,

SASL (Overview)

plug-ins,

SASL Plug-ins

saslauthd_path option, SASL and,

SASL Options

saving, failed login attempts,

How to Monitor Failed Login Attempts

scope (RBAC), description,

Name Service Scope and RBAC

scp command

copying files with,

description,

How to Configure the audit_warn Email Alias

scripts

audit_warn script

audit_warn Script

checking for RBAC authorizations,

How to Add RBAC Properties to Legacy Applications

device-clean scripts

See also device-clean scripts

for cleaning devices,

How to View the Contents of Binary Audit Files

monitoring audit files example,

Auditing Efficiently

processing praudit output,

running with privileges,

Assigning Privileges to a Script

securing,

How to Add RBAC Properties to Legacy Applications

use of privileges in,

How to Run a Shell Script With Privileged Commands

SCSI devices, st_clean script,

device_allocate File

SEAM Tool

and limited administration privileges,

Using the SEAM Tool With Limited Kerberos Administration Privileges

and list privileges,

Using the SEAM Tool With Limited Kerberos Administration Privileges

and X Window system,

Command-Line Equivalents of the SEAM Tool

command-line equivalents,

Command-Line Equivalents of the SEAM Tool

context-sensitive help,

How to Create a New Kerberos Principal

creating a new policy

How to Create a New Kerberos Policy

creating a new principal,

How to Create a New Kerberos Principal

default values,

How to Start the SEAM Tool

deleting a principal,

How to Delete a Kerberos Principal

deleting policies,

How to Delete a Kerberos Policy

displaying sublist of principals,

How to View the List of Kerberos Principals

duplicating a principal,

How to Duplicate a Kerberos Principal

files modified by,

The Only File Modified by the SEAM Tool

Filter Pattern field,

How to View the List of Kerberos Principals

gkadmin command,

Ways to Administer Kerberos Principals and Policies

.gkadmin file,

The Only File Modified by the SEAM Tool

help,

Help Contents,

Using the SEAM Tool With Limited Kerberos Administration Privileges

how affected by privileges,

kadmin command,

Ways to Administer Kerberos Principals and Policies

How to Start the SEAM Tool

modifying a policy,

How to Modify a Kerberos Policy

modifying a principal,

How to Modify a Kerberos Principal

online help,

SEAM Tool Panel Descriptions

or kadmin command,

SEAM Tool

overview,

SEAM Tool

panel descriptions,

privileges,

Using the SEAM Tool With Limited Kerberos Administration Privileges

setting up principal defaults,

How to Set Up Defaults for Creating New Kerberos Principals

starting,

How to Start the SEAM Tool

table of panels,

SEAM Tool Panel Descriptions

viewing a principal's attributes,

How to View a Kerberos Principal's Attributes

viewing list of policies,

How to View the List of Kerberos Policies

viewing list of principals,

How to View the List of Kerberos Principals

viewing policy attributes,

How to View a Kerberos Policy's Attributes

secret keys

creating

How to Generate a Symmetric Key by Using the dd Command

How to Generate a Symmetric Key by Using the pktool Command

generating

using the dd command,

How to Generate a Symmetric Key by Using the dd Command

using the pktool command,

How to Generate a Symmetric Key by Using the pktool Command

generating for Secure RPC,

Secure by Default installation option,

How to Set Up Default Connections to Hosts Outside a Firewall

secure connection

across a firewall,

logging in,

How to Log In to a Remote Host With Solaris Secure Shell

Secure NFS,

NFS Services and Secure RPC

Secure RPC

alternative,

Authentication and Authorization for Remote Access

and Kerberos,

Kerberos Authentication

description,

Overview of Secure RPC

implementation of,

keyserver,

Authentication and Authorization for Remote Access

overview,

securing

logins task map,

Securing Logins and Passwords (Task Map)

network at installation,

Securing Logins and Passwords (Task Map)

passwords task map,

scripts,

How to Add RBAC Properties to Legacy Applications

security

across insecure network,

How to Set Up Default Connections to Hosts Outside a Firewall

auditing,

Oracle Solaris Auditing (Overview)

auditing and,

How Is Auditing Related to Security?

BART

Using the Basic Audit Reporting Tool (Tasks)

BART Security Considerations

computing digest of files,

How to Compute a Digest of a File

computing MAC of files,

How to Compute a MAC of a File

cryptographic framework,

Oracle Solaris Cryptographic Framework (Overview)

device allocation,

Controlling Access to Devices (Tasks)

devices,

Controlling Access to Devices

DH authentication,

How to Encrypt and Decrypt a File

encrypting files,

installation options,

Oracle Solaris Key Management Framework

key management framework,

netservices limited installation option,

NFS client-server,

Oracle Solaris Security Policy

password encryption,

Password Encryption

policy overview,

preventing remote login,

Using Oracle Solaris Resource Management Features

protecting against denial of service,

protecting against Trojan horse,

Setting the PATH Variable

protecting devices,

protecting hardware,

protecting PROM,

Secure by Default,

Using Solaris Secure Shell (Tasks)

Solaris Secure Shell,

system hardware,

Managing Machine Security (Overview)

systems,

security attributes

checking for,

Applications That Check UIDs and GIDs

considerations when directly assigning,

Security Considerations When Directly Assigning Security Attributes

description,

Oracle Solaris RBAC Elements and Basic Concepts

order of search,

Order of Search for Assigned Security Attributes

Printer management rights profile,

Oracle Solaris RBAC Elements and Basic Concepts

privileges on commands,

Applications That Check for Privileges

special ID on commands,

Applications That Check UIDs and GIDs

using to mount allocated device,

How to Authorize Users to Allocate a Device

security mechanism, specifying with -m option,

Overview of Kerberized Commands

security modes, setting up environment with multiple,

How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes

security policy, default (RBAC),

Databases That Support RBAC

security service, Kerberos and,

Kerberos Security Services

selecting

audit classes,

How to Preselect Audit Classes

audit records,

How to Select Audit Events From the Audit Trail

events from audit trail,

How to Select Audit Events From the Audit Trail

semicolon (;), device_allocate file,

device_allocate File

sendmail command, authorizations required,

Commands That Require Authorizations

seq audit policy

and sequence token

Determining Audit Policy

sequence Token

description,

Determining Audit Policy

sequence audit token

and seq audit policy,

sequence Token

format,

sequence Token

ServerAliveCountMax keyword, ssh_config file,

ServerAliveInterval keyword, ssh_config file,

ServerKeyBits keyword, sshd_config file,

servers

AUTH_DH client-server session,

Server Configuration in Solaris Secure Shell

configuring for Solaris Secure Shell,

definition in Kerberos,

Gaining Access to a Service Using Kerberos

gaining access with Kerberos,

obtaining credential for,

Obtaining a Credential for a Server

realms and,

Kerberos Servers

service

definition in Kerberos,

How to Temporarily Disable Authentication for a Service on a Host

disabling on a host,

obtaining access for specific service,

Obtaining Access to a Specific Service

service keys

definition in Kerberos,

Administering Keytab Files

keytab files and,

service management facility

enabling keyserver,

How to Add a Software Provider

refreshing cryptographic framework,

restarting cryptographic framework,

How to Refresh or Restart All Cryptographic Services

restarting Solaris Secure Shell,

How to Configure Port Forwarding in Solaris Secure Shell

Service Management Facility (SMF), See SMF

service principal

adding to keytab file

Administering Keytab Files

How to Add a Kerberos Service Principal to a Keytab File

description,

Kerberos Principals

planning for names,

Client and Service Principal Names

removing from keytab file,

How to Remove a Service Principal From a Keytab File

session ID, audit,

Process Audit Characteristics

session keys

definition in Kerberos,

How the Kerberos Authentication System Works

Kerberos authentication and,

-setflags option, auditconfig command,

How to Preselect Audit Classes

setgid permissions

absolute mode

How to Change Special File Permissions in Absolute Mode

description,

setgid Permission

security risks,

setgid Permission

symbolic mode,

How to Preselect Audit Classes

-setnaflags option, auditconfig command,

setpin subcommand, pktool command,

How to Generate a Passphrase by Using the pktool setpin Command

-setplugin option

auditconfig command

How to Send Audit Files to a Remote Repository

How to Configure syslog Audit Logs

-setpolicy option, auditconfig command,

How to Change Audit Policy

setting

arge policy,

How to Audit All Commands by Users

argv policy,

How to Audit All Commands by Users

audit policy,

How to Change Audit Policy

audit queue controls,

How to Change Audit Queue Controls

principal defaults (Kerberos),

How to Set Up Defaults for Creating New Kerberos Principals

setuid permissions

absolute mode

How to Change Special File Permissions in Absolute Mode

description,

setuid Permission

finding files with permissions set,

How to Find Files With Special File Permissions

security risks

Restricting setuid Executable Files

setuid Permission

symbolic mode,

sftp audit class,

How to Audit FTP and SFTP File Transfers

sftp command

auditing file transfers,

copying files with,

description,

How to List Available Providers

sh command, privileged version,

Profile Shell in RBAC

SHA1 kernel provider,

SHA2 kernel provider,

How to List Available Providers

sharing files

and network security,

Sharing Files Across Machines

with DH authentication,

How to Share NFS Files With Diffie-Hellman Authentication

shell, privileged versions,

Profile Shell in RBAC

shell commands

/etc/d_passwd file entries,

Dial-Up Logins

passing parent shell process number,

How to Determine the Privileges on a Process

shell process, listing its privileges,

How to Determine the Privileges on a Process

shell scripts, writing privileged,

How to Run a Shell Script With Privileged Commands

short praudit output format,

praudit Command

shosts.equiv file, description,

.shosts file, description,

How to Sign a Certificate Request by Using the pktool signcsr Command

signing

PKCS #10 CSR,

using the pktool command,

How to Sign a Certificate Request by Using the pktool signcsr Command

signing providers, cryptographic framework,

Plugins to the Oracle Solaris Cryptographic Framework

single-sign-on system,

Kerberos User Commands

Kerberos and,

What Is the Kerberos Service?

size of audit files

reducing

How to Merge Audit Files From the Audit Trail

auditreduce Command

reducing storage-space requirements,

Auditing Efficiently

slave_datatrans file

description,

Kerberos Files

KDC propagation and,

Backing Up and Propagating the Kerberos Database

slave_datatrans_slave file, description,

Kerberos Files

slave KDCs

automatically configuring,

How to Automatically Configure a Slave KDC

configuring,

Kerberos-Specific Terminology

definition,

interactively configuring,

How to Interactively Configure a Slave KDC

master KDC and,

Kerberos Servers

or master,

Configuring KDC Servers

planning for,

The Number of Slave KDCs

swapping with master KDC,

Swapping a Master KDC and a Slave KDC

slot, definition in cryptographic framework,

Terminology in the Oracle Solaris Cryptographic Framework

SMF

See also service management facility

auditd service,

Oracle Solaris Audit Service

cryptographic framework service,

Administrative Commands in the Oracle Solaris Cryptographic Framework

device allocation service,

Device Allocation Service

kcfd service,

Administrative Commands in the Oracle Solaris Cryptographic Framework

managing Secure by Default configuration,

How to Configure Port Forwarding in Solaris Secure Shell

ssh service,

socket audit token,

socket Token

soft limit, audit_warn condition,

audit_warn Script

soft string, audit_warn script,

audit_warn Script

solaris.device.revoke authorization,

Device Allocation Commands

Solaris Secure Shell

adding to system,

Solaris Secure Shell Packages and Initialization

administering,

A Typical Solaris Secure Shell Session

administrator task map

Solaris Secure Shell (Task Map)

Configuring Solaris Secure Shell (Task Map)

authentication

requirements for,

Solaris Secure Shell Authentication

authentication methods,

Solaris Secure Shell Authentication

authentication steps,

Authentication and Key Exchange in Solaris Secure Shell

basis from OpenSSH,

Solaris Secure Shell and the OpenSSH Project

changes in current release,

Solaris Secure Shell and the OpenSSH Project

changing passphrase,

How to Change the Passphrase for a Solaris Secure Shell Private Key

command execution,

Command Execution and Data Forwarding in Solaris Secure Shell

configuring clients,

Client Configuration in Solaris Secure Shell

configuring port forwarding,

How to Configure Port Forwarding in Solaris Secure Shell

configuring server,

Server Configuration in Solaris Secure Shell

connecting across a firewall,

How to Set Up Default Connections to Hosts Outside a Firewall

connecting outside firewall

from command line,

How to Set Up Default Connections to Hosts Outside a Firewall

from configuration file,

How to Set Up Default Connections to Hosts Outside a Firewall

copying files,

How to Generate a Public/Private Key Pair for Use With Solaris Secure Shell

creating keys,

data forwarding,

Command Execution and Data Forwarding in Solaris Secure Shell

description,

Solaris Secure Shell (Overview)

files,

forwarding mail,

How to Generate a Public/Private Key Pair for Use With Solaris Secure Shell

generating keys,

keywords,

local port forwarding

How to Reduce Password Prompts in Solaris Secure Shell

logging in fewer prompts,

logging in to remote host,

How to Log In to a Remote Host With Solaris Secure Shell

Solaris Secure Shell and Login Environment Variables

naming identity files,

Solaris Secure Shell Packages and Initialization

packages,

protocol versions,

Solaris Secure Shell (Overview)

public key authentication,

Solaris Secure Shell Authentication

remote port forwarding,

scp command,

How to Create User and Host Exceptions to SSH System Defaults

specifying exceptions to system defaults,

TCP and,

How to Configure Port Forwarding in Solaris Secure Shell

typical session,

A Typical Solaris Secure Shell Session

user procedures,

Using Solaris Secure Shell (Task Map)

using port forwarding,

How to Reduce Password Prompts in Solaris Secure Shell

using without password,

special permissions

setgid permissions,

setgid Permission

setuid permissions,

setuid Permission

sticky bit,

Sticky Bit

square brackets ([]), auditrecord output,

Audit Record Analysis

sr_clean script, description,

ssh-add command

description,

How to Reduce Password Prompts in Solaris Secure Shell

example

storing private keys,

How to Reduce Password Prompts in Solaris Secure Shell

ssh-agent command

description,

How to Reduce Password Prompts in Solaris Secure Shell

from command line,

ssh command

description,

overriding keyword settings,

port forwarding options,

How to Log In to a Remote Host With Solaris Secure Shell

using,

using a proxy command,

How to Set Up Default Connections to Hosts Outside a Firewall

.ssh/config file

description,

override,

Client Configuration in Solaris Secure Shell

ssh_config file

configuring Solaris Secure Shell,

host-specific parameters,

Host-Specific Parameters in Solaris Secure Shell

keywords,

See specific keyword

override,

.ssh/environment file, description,

ssh_host_dsa_key file, description,

ssh_host_dsa_key.pub file, description,

ssh_host_key file

description,

override,

ssh_host_key.pub file, description,

ssh_host_rsa_key file, description,

ssh_host_rsa_key.pub file, description,

.ssh/id_dsa file,

.ssh/id_rsa file,

.ssh/identity file,

ssh-keygen command

description,

How to Generate a Public/Private Key Pair for Use With Solaris Secure Shell

using,

ssh-keyscan command, description,

ssh-keysign command, description,

.ssh/known_hosts file

description,

override,

ssh_known_hosts file,

.ssh/rc file, description,

sshd command, description,

sshd_config file

description,

keywords,

Solaris Secure Shell and Login Environment Variables

See specific keyword

overrides of /etc/default/login entries,

sshd.pid file, description,

sshrc file, description,

st_clean script

description,

for tape drives,

device_allocate File

standard cleanup, st_clean script,

How to Enable the Audit Service

starting

auditing,

device allocation,

How to Enable Device Allocation

KDC daemon

How to Configure a Slave KDC to Use Full Propagation

Secure RPC keyserver,

stash file

creating

How to Configure a Slave KDC to Use Full Propagation

definition,

Kerberos-Specific Terminology

sticky bit permissions

absolute mode

How to Change Special File Permissions in Absolute Mode

description,

Sticky Bit

symbolic mode,

How to Temporarily Disable Dial-Up Logins

Stop (RBAC), rights profile,

Stop Rights Profile

stopping, dial-up logins temporarily,

storage costs, and auditing,

Cost of Storage of Audit Data

storage overflow prevention, audit trail,

How to Prevent Audit Trail Overflow

storing

audit files

How to Plan Storage for Audit Records

How to Create ZFS File Systems for Audit Files

passphrase,

How to Encrypt and Decrypt a File

StrictHostKeyChecking keyword, ssh_config file,

StrictModes keyword, sshd_config file,

su command

displaying access attempts on console,

in role assumption,

How to Assume a Role

monitoring use,

su file, monitoring su command,

subject audit token, format,

subject Token

Subsystem keyword, sshd_config file,

success

audit class prefix,

Audit Class Syntax

turning off audit classes for,

Audit Class Syntax

sufficient control flag, PAM,

How PAM Stacking Works

sulog file,

monitoring contents of,

How to Disable Hardware Provider Mechanisms and Features

Sun Crypto Accelerator 1000 board, listing mechanisms,

Sun Crypto Accelerator 6000 board

hardware plugin to cryptographic framework,

Oracle Solaris Cryptographic Framework

listing mechanisms,

How to List Hardware Providers

SUPATH in Solaris Secure Shell,

Solaris Secure Shell and Login Environment Variables

superuser

compared to privilege model,

Privileges (Overview)

compared to RBAC model,

RBAC: An Alternative to the Superuser Model

differences from privilege model,

Administrative Differences on a System With Privileges

eliminating in RBAC,

RBAC Roles

monitoring access attempts,

How to Make root User Into a Role

troubleshooting becoming root as a role,

troubleshooting remote access,

Device Allocation Service

svc:/system/device/allocate, device allocation service,

svcadm command

administering cryptographic framework

Scope of the Oracle Solaris Cryptographic Framework

Administrative Commands in the Oracle Solaris Cryptographic Framework

enabling cryptographic framework,

How to Refresh or Restart All Cryptographic Services

enabling keyserver daemon,

How to Add a Software Provider

refreshing cryptographic framework,

restarting

Solaris Secure Shell,

How to Configure Port Forwarding in Solaris Secure Shell

syslog daemon

How to Configure syslog Audit Logs

svcs command

listing cryptographic services,

How to Refresh or Restart All Cryptographic Services

listing keyserver service,

Swapping a Master KDC and a Slave KDC

swapping master and slave KDCs,

symbolic links, file permissions,

UNIX File Permissions

symbolic mode

changing file permissions

How to Change File Permissions in Symbolic Mode

description,

How to Manually Configure a Master KDC

synchronizing clocks

master KDC

How to Configure a KDC to Use an LDAP Data Server

overview,

Synchronizing Clocks Between KDCs and Kerberos Clients

slave KDC

How to Configure a Slave KDC to Use Full Propagation

SYS privileges,

Privilege Descriptions

syslog.conf file

and auditing,

syslog.conf File

audit.notice level,

How to Configure syslog Audit Logs

executable stack messages,

Preventing Executable Files From Compromising Security

kern.notice level,

Preventing Executable Files From Compromising Security

priv.debug entry,

Files With Privilege Information

saving failed login attempts,

Solaris Secure Shell and Login Environment Variables

SYSLOG_FAILED_LOGINS

in Solaris Secure Shell,

system variable,

syslog format, audit records,

syslog.conf File

SyslogFacility keyword, sshd_config file,

How to Require a Password for Hardware Access

System Administrator (RBAC)

assuming role,

How to Assume a Role

protecting hardware,

recommended role,

RBAC: An Alternative to the Superuser Model

rights profile,

System Administrator Rights Profile

system calls

argument audit token,

argument Token

close,

exec_args audit token,

exec_args Token

exec_env audit token,

exec_env Token

ioctl(),

ioctl to clean audio device,

return audit token,

return Token

system hardware, controlling access to,

Managing Machine Security (Overview)

system properties, privileges relating to,

Privilege Descriptions

system security

access,

dial-up logins and passwords,

Dial-Up Logins

dial-up passwords

disabling temporarily,

How to Temporarily Disable Dial-Up Logins

displaying

user's login status

How to Display a User's Login Status

users with no passwords,

How to Display Users Without Passwords

firewall systems,

Firewall Systems

hardware protection

Maintaining Physical Security

Maintaining Login Control

machine access,

Maintaining Physical Security

overview

Managing Machine Security (Overview)

Controlling Access to a Computer System

password encryption,

Password Encryption

passwords,

Managing Password Information

privileges,

Privileges (Overview)

protecting from risky programs,

Protecting Against Programs With Security Risk (Task Map)

restricted shell

Assigning a Restricted Shell to Users

restricting remote root access,

Configuring Role-Based Access Control to Replace Superuser

role-based access control (RBAC)

RBAC: An Alternative to the Superuser Model

root access restrictions

Restricting root Access to Shared Files

How to Monitor Failed Login Attempts

saving failed login attempts,

special logins,

Special System Logins

su command monitoring

Limiting and Monitoring Superuser

Protecting Against Programs With Security Risk (Task Map)

task map,

UFS ACLS,

Using Access Control Lists to Protect UFS Files

system state change audit class,

System V IPC

ipc audit class,

How to Specify an Algorithm for Password Encryption

ipc audit token,

ipc Token

IPC_perm audit token,

IPC_perm Token

privileges,

Privilege Descriptions

system variables

See also variables

CRYPT_DEFAULT,

KEYBOARD_ABORT,

How to Disable a System's Abort Sequence

noexec_user_stack,

How to Disable Programs From Using Executable Stacks

noexec_user_stack_log,

How to Disable Programs From Using Executable Stacks

rstchown,

How to Change the Owner of a File

SYSLOG_FAILED_LOGINS,

system-wide administration audit class,