JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11 Security Guidelines     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  Overview of Oracle Solaris Security

2.  Configuring Oracle Solaris Security

Installing the Oracle Solaris OS

Securing the System

How to Verify Your Packages

How to Disable Unneeded Services

How to Remove Power Management Capability From Users

How to Place a Security Message in Banner Files

How to Place a Security Message on the Desktop Login Screen

Securing Users

How to Set Stronger Password Constraints

How to Set Account Locking for Regular Users

How to Set More Restrictive umask Value for Regular Users

How to Audit Significant Events in Addition to Login/Logout

How to Monitor lo Events in Real Time

How to Remove Unneeded Basic Privileges From Users

Securing the Kernel

Configuring the Network

How to Display a Security Message to ssh Users

How to Use TCP Wrappers

Protecting File Systems and Files

How to Limit the Size of the tmpfs File System

Protecting and Modifying Files

Securing Applications and Services

Creating Zones to Contain Critical Applications

Managing Resources in Zones

Configuring IPsec and IKE

Configuring IP Filter

Configuring Kerberos

Adding SMF to a Legacy Service

Creating a BART Snapshot of the System

Adding Multilevel (Labeled) Security

Configuring Trusted Extensions

Configuring Labeled IPsec

3.  Monitoring and Maintaining Oracle Solaris Security

A.  Bibliography for Oracle Solaris Security

Securing Users

At this point, only the initial user who can assume the root role has access to the system. The following tasks are best performed in order before regular users can log in.

Task
Description
For Instructions
Require strong passwords and frequent password changes.
Strengthens the default password constraints on each system.
Configure restrictive file permissions for regular users.
Sets a more restrictive value than 022 for file permissions for regular users.
Set account locking for regular users.
On systems that are not used for administration, sets account locking system-wide and reduces the number of logins that activate the lock.
Preselect additional audit classes.
Provides better monitoring and recording of potential threats to the system.
Send text summaries of audit events to the syslog utility.
Provides real-time coverage of significant audit events, such as logins and attempted logins.
Create roles.
Distributes discrete administrative tasks to several trusted users so that no one user can damage the system.
Reduce the number of visible GNOME desktop applications.
Prevents users from using desktop applications that can affect security.
Limit a user's privileges.
Removes basic privileges that users do not need.

How to Set Stronger Password Constraints

Use this procedure if the defaults do not satisfy your site security requirements. The steps follow the list of entries in the /etc/default/passwd file.

Before You Begin

Before changing the defaults, ensure that the changes allow all users to authenticate to their applications and to other systems on the network.

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

See Also

How to Set Account Locking for Regular Users

Use this procedure to lock regular user accounts after a certain number of failed login attempts.


Note - Do not set account locking for users who can assume roles because you can lock out the role.


Before You Begin

Do not set this protection system-wide on a system that you use for administrative activities.

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

  1. Set the LOCK_AFTER_RETRIES security attribute to YES.
    • Set system-wide.
      # pfedit /etc/security/policy.conf
      ...
      #LOCK_AFTER_RETRIES=NO
      LOCK_AFTER_RETRIES=YES
      ...
    • Set per user.
      # usermod -K lock_after_retries=yes username
  2. Set the RETRIES security attribute to 3.
    # pfedit /etc/default/login
    ...
    #RETRIES=5
    RETRIES=3
    ...

See Also

How to Set More Restrictive umask Value for Regular Users

If the default umask value, 022, is not restrictive enough, set a more restrictive mask by using this procedure.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

See Also

For more information, see the following:

How to Audit Significant Events in Addition to Login/Logout

Use this procedure to audit administrative commands, attempts to invade the system, and other significant events as specified by your site security policy.


Note - The examples in this procedure might not be sufficient to satisfy your security policy.


Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

  1. Audit all uses of privileged commands by users and roles.

    For all users and roles, add the AUE_PFEXEC audit event to their preselection mask.

    # usermod -K audit_flags=lo,ps:no username
    # rolemod -K audit_flags=lo,ps:no rolename
  2. Record the arguments to audited commands.
    # auditconfig -setpolicy +argv
  3. Record the environment in which audited commands are executed.
    # auditconfig -setpolicy +arge

See Also

How to Monitor lo Events in Real Time

Use this procedure to activate the audit_syslog plugin for events that you want to monitor as they happen.

Before You Begin

You must assume the root role to modify the syslog.conf file. Other steps require you to be assigned the Audit Configuration rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

  1. Send the lo class to the audit_syslog plugin, and make the plugin active.
    # auditconfig -setplugin audit_syslog active p_flags=lo
  2. Determine which system-log service instance is online.
    # svcs system-log
    STATE          STIME    FMRI
    disabled       13:11:55 svc:/system/system-log:rsyslog
    online         13:13:27 svc:/system/system-log:default

    Tip - If the rsyslog service instance is online, modify the rsyslog.conf file.


  3. Add an audit.notice entry to the syslog.conf file.

    The default entry includes the location of the log file.

    # cat /etc/syslog.conf
    …
    audit.notice       /var/adm/auditlog
  4. Create the log file.
    # touch /var/adm/auditlog
  5. Refresh the configuration information for the system-log service.
    # svcadm refresh system-log:default

    Note - Refresh the system-log:rsyslog service instance if the rsyslog service is online.


  6. Refresh the audit service.

    The audit service reads the changes to the audit plugin upon refresh.

    # audit -s

See Also

How to Remove Unneeded Basic Privileges From Users

Under particular circumstances, one or more of three basic privileges can be removed from a regular user's basic set.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

  1. Prevent a user from linking to a file that the user does not own.
    # usermod -K 'defaultpriv=basic,!file_link_any' user
  2. Prevent a user from examining processes that the user does not own.
    # usermod -K 'defaultpriv=basic,!proc_info' user
  3. Prevent a user from starting a second session, such as starting an ssh session, from the user's current session.
    # usermod -K 'defaultpriv=basic,!proc_session' user
  4. Remove all three privileges from a user's basic set.
    # usermod -K 'defaultpriv=basic,!file_link_any,!proc_info,!proc_session' user

See Also

For more information, see Chapter 8, Using Roles and Privileges (Overview), in Oracle Solaris 11.1 Administration: Security Services and the privileges(5) man page.