JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: Security Services     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information


Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

Configuring Devices (Task Map)

Configuring Device Policy (Tasks)

Configuring Device Policy (Task Map)

How to View Device Policy

How to Change the Device Policy on an Existing Device

How to Audit Changes in Device Policy

How to Retrieve IP MIB-II Information From a /dev/* Device

Managing Device Allocation (Tasks)

Managing Device Allocation (Task Map)

How to Enable Device Allocation

How to Authorize Users to Allocate a Device

How to View Allocation Information About a Device

Forcibly Allocating a Device

Forcibly Deallocating a Device

How to Change Which Devices Can Be Allocated

How to Audit Device Allocation

Allocating Devices (Tasks)

How to Allocate a Device

How to Mount an Allocated Device

How to Deallocate a Device

Device Protection (Reference)

Device Policy Commands

Device Allocation

Components of Device Allocation

Device Allocation Service

Device Allocation Rights Profiles

Device Allocation Commands

Allocate Error State

device_maps File

device_allocate File

Device-Clean Scripts

6.  Using the Basic Audit Reporting Tool (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Network Services Authentication (Tasks)

15.  Using PAM

16.  Using SASL

17.  Using Secure Shell (Tasks)

18.  Secure Shell (Reference)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)



Configuring Device Policy (Tasks)

Device policy restricts or prevents access to devices that are integral to the system. The policy is enforced in the kernel.

Configuring Device Policy (Task Map)

The following task map points to device configuration procedures that are related to device policy.

For Instructions
View the device policy for the devices on your system.
Lists the devices and their device policy.
Require privilege for device use.
Uses privileges to protect a device.
Remove privilege requirements from a device.
Removes or lessens the privileges that are required to access a device.
Audit changes in device policy.
Records changes in device policy in the audit trail.
Access /dev/arp.
Gets Oracle Solaris IP MIB-II information.

How to View Device Policy

Example 5-1 Viewing the Device Policy for a Specific Device

In this example, the device policy for three devices is displayed.

% getdevpolicy /dev/allkmem /dev/ipsecesp /dev/bge

How to Change the Device Policy on an Existing Device

Before You Begin

You must be assigned the Device Security rights profile.

  1. Become an administrator with the required security attributes.

    For more information, see How to Obtain Administrative Rights.

  2. Add policy to a device.
    # update_drv -a -p policy device-driver

    Specifies a policy for device-driver.

    -p policy

    Is the device policy for device-driver. Device policy specifies two sets of privileges. One set is required to read the device. The other set is required to write to the device.


    Is the device driver.

    For more information, see the update_drv(1M) man page.

Example 5-2 Adding Policy to an Existing Device

In the following example, device policy is added to the ipnat device.

# getdevpolicy /dev/ipnat
# update_drv -a \
-p 'read_priv_set=net_rawaccess write_priv_set=net_rawaccess' ipnat
# getdevpolicy /dev/ipnat

Example 5-3 Removing Policy From a Device

In the following example, the read set of privileges is removed from the device policy for the ipnat device.

# getdevpolicy /dev/ipnat
# update_drv -a -p write_priv_set=net_rawaccess ipnat
# getdevpolicy /dev/ipnat

How to Audit Changes in Device Policy

By default, the as audit class includes the AUE_MODDEVPLCY audit event.

Before You Begin

You must be assigned the Audit Configuration rights profile.

  1. Become an administrator with the required security attributes.

    For more information, see How to Obtain Administrative Rights.

  2. Preselect the audit class that includes AUE_MODDEVPLCY audit event.
    # auditconfig -getflags
    # auditconfig -setflags current-flags,as

    For detailed instructions, see How to Preselect Audit Classes.

How to Retrieve IP MIB-II Information From a /dev/* Device

Applications that retrieve Oracle Solaris IP MIB-II information should open /dev/arp, not /dev/ip.

  1. Determine the device policy on /dev/ip and /dev/arp.
    % getdevpolicy /dev/ip /dev/arp

    Note that the net_rawaccess privilege is required for reading and writing to /dev/ip. No privileges are required for /dev/arp.

  2. Open /dev/arp and push the tcp and udp modules.

    No privileges are required. This method is equivalent to opening /dev/ip and pushing the arp, tcp and udp modules. Because opening /dev/ip now requires a privilege, the /dev/arp method is preferred.