Skip Navigation Links | |
Exit Print View | |
Oracle Solaris 11 Security Guidelines Oracle Solaris 11 Information Library |
1. Overview of Oracle Solaris 11 Security
2. Configuring Oracle Solaris 11 Security
Installing the Oracle Solaris OS
Remove Power Management Capability From Users
Place Security Message in Banner Files
Place Security Message on the Desktop Login Screen
Set Stronger Password Constraints
Set Account Locking for Regular Users
Set More Restrictive umask Value for Regular Users
Audit Significant Events in Addition to Login/Logout
Display Security Message to ssh and ftp Users
Disable the Network Routing Daemon
Disable Broadcast Packet Forwarding
Disable Responses to Echo Requests
Set Maximum Number of Incomplete TCP Connections
Set Maximum Number of Pending TCP Connections
Specify a Strong Random Number for Initial TCP Connection
Reset Network Parameters to Secure Values
Protecting File Systems and Files
Protecting and Modifying Files
Securing Applications and Services
Creating Zones to Contain Critical Applications
Adding SMF to a Legacy Service
Creating a BART Snapshot of the System
Adding Multilevel (Labeled) Security
Configuring Trusted Extensions
At this point, only the initial user who can assume the root role has access to the system. The following tasks are best performed in order before regular users can log in.
|
Use this procedure if the defaults do not satisfy your site security requirements. The steps follow the list of entries in the /etc/default/passwd file.
Before You Begin
Before changing the defaults, ensure that the changes allow all users to authenticate to their applications and to other systems on the network.
You must be in the root role.
## /etc/default/passwd ## MAXWEEKS= MINWEEKS= MAXWEEKS=4 MINWEEKS=3
#PASSLENGTH=6 PASSLENGTH=8
#HISTORY=0 HISTORY=10
#MINDIFF=3 MINDIFF=4
#MINUPPER=0 MINUPPER=1
#MINDIGIT=0 MINDIGIT=1
See Also
For the list of variables that constrain password creation, see the /etc/default/passwd file. The defaults are indicated in the file.
For the password constraints in effect after installation, see System Access Is Limited and Monitored.
passwd(1) man page
Use this procedure to lock regular user accounts after a certain number of failed login attempts.
Note - Do not set account locking for users who can assume roles because you can lock out the role.
Before You Begin
You must be in the root role. Do not set this protection system-wide on a system that you use for administrative activities.
# vi /etc/security/policy.conf ... #LOCK_AFTER_RETRIES=NO LOCK_AFTER_RETRIES=YES ...
# usermod -K lock_after_retries=yes username
# vi /etc/default/login ... #RETRIES=5 RETRIES=3 ...
See Also
For a discussion of user and role security attributes, see Chapter 10, Security Attributes in Oracle Solaris (Reference), in Oracle Solaris Administration: Security Services.
Selected man pages include policy.conf(4) and user_attr(4).
If the default umask value, 022, is not restrictive enough, set a more restrictive mask by using this procedure.
Before You Begin
You must be in the root role.
Oracle Solaris provides directories for administrators to customize user shell defaults. These skeleton directories include files such as .profile, .bashrc and .kshrc.
Choose one of the following values:
umask 027 – Provides moderate file protection
(740) – w for group, rwx for others
umask 026 – Provides slightly stricter file protection
(741) – w for group, rw for others
umask 077 – Provides complete file protection
(700) – No access for group or others
See Also
For more information, see the following:
Setting Up User Accounts in Oracle Solaris Administration: Common Tasks
Default umask Value in Oracle Solaris Administration: Security Services
Selected man pages include usermod(1M) and umask(1).
Use this procedure to audit administrative commands, attempts to invade the system, and other significant events as specified by your site security policy.
Note - The examples in this procedure might not be sufficient to satisfy your security policy.
Before You Begin
You must be in the root role. You are implementing your site's security policy with regard to auditing.
For all users and roles, add the AUE_PFEXEC audit event to their preselection mask.
# usermod -K audit_flags=lo,ps:no username
# rolemod -K audit_flags=lo,ps:no rolename
# auditconfig -setpolicy +argv
# auditconfig -setpolicy +arge
See Also
For information about audit policy, see Audit Policy in Oracle Solaris Administration: Security Services.
For examples of setting audit flags, see Configuring the Audit Service (Tasks) in Oracle Solaris Administration: Security Services and Troubleshooting the Audit Service (Tasks) in Oracle Solaris Administration: Security Services.
To configure auditing, see the auditconfig(1M) man page.
Use this procedure to activate the audit_syslog plugin for events that you want to monitor as they happen.
Before You Begin
You must be in the root role to modify the syslog.conf file. Other steps require you to be assigned the Audit Configuration rights profile.
# auditconfig -setplugin audit_syslog active p_flags=lo
The default entry includes the location of the log file.
# cat /etc/syslog.conf … audit.notice /var/adm/auditlog
# touch /var/adm/auditlog
# svcadm refresh system/system-log
The audit service reads the changes to the audit plugin upon refresh.
# audit -s
See Also
To send the audit summaries to another system, see the example following How to Configure syslog Audit Logs in Oracle Solaris Administration: Security Services.
The audit service can generate extensive output. To manage the logs, see the logadm(1M) man page.
To monitor the output, see Monitoring audit_syslog Audit Summaries.
Under particular circumstances, one or more of three basic privileges can be removed from a regular user's basic set.
file_link_any – Allows a process to create hard links to files owned by a UID different from the effective UID of the process.
proc_info – Allows a process to examine the status of processes other than those it can send signals to. Processes that cannot be examined cannot be seen in /proc and appear not to exist.
proc_session – Allows a process to send signals or trace processes outside its session.
Before You Begin
You must be in the root role.
# usermod -K defaultpriv=basic,!file_link_any user
# usermod -K defaultpriv=basic,!proc_info user
# usermod -K defaultpriv=basic,!proc_session user
# usermod -K defaultpriv=basic,!file_link_any,!proc_info,!proc_session user
See Also
For more information, see Chapter 8, Using Roles and Privileges (Overview), in Oracle Solaris Administration: Security Services and the privileges(5) man page.