Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Security Services Oracle Solaris 10 1/13 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Controlling Access to Devices (Tasks)
Configuring Devices (Task Map)
Configuring Device Policy (Task Map)
Managing Device Allocation (Task Map)
How to Make a Device Allocatable
How to Authorize Users to Allocate a Device
How to View Allocation Information About a Device
Forcibly Deallocating a Device
How to Change Which Devices Can Be Allocated
How to Audit Device Allocation
How to Mount an Allocated Device
Components of Device Allocation
5. Using the Basic Audit Reporting Tool (Tasks)
6. Controlling Access to Files (Tasks)
7. Using the Automated Security Enhancement Tool (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Secure Shell (Tasks)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Auditing in Oracle Solaris
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
Device policy restricts or prevents access to devices that are integral to the system. The policy is enforced in the kernel.
% getdevpolicy | more DEFAULT read_priv_set=none write_priv_set=none ip:* read_priv_set=net_rawaccess write_priv_set=net_rawaccess …
Example 4-1 Viewing the Device Policy for a Specific Device
In this example, the device policy for three devices is displayed.
% getdevpolicy /dev/allkmem /dev/ipsecesp /dev/hme /dev/allkmem read_priv_set=all write_priv_set=all /dev/ipsecesp read_priv_set=sys_net_config write_priv_set=sys_net_config /dev/hme read_priv_set=net_rawaccess write_priv_set=net_rawaccess
The Primary Administrator role includes the Device Security rights profile. You can also assign the Device Security rights profile to a role that you create. To create the role and assign the role to a user, see Example 9-3.
# update_drv -a -p policy device-driver
Specifies a policy for device-driver.
Is the device policy for device-driver. Device policy specifies two sets of privileges. One set is required to read the device. The other set is required to write to the device.
Is the device driver.
For more information, see the update_drv(1M) man page.
Example 4-2 Adding Policy to an Existing Device
In the following example, device policy is added to the ipnat device.
# getdevpolicy /dev/ipnat /dev/ipnat read_priv_set=none write_priv_set=none # update_drv -a \ -p 'read_priv_set=net_rawaccess write_priv_set=net_rawaccess' ipnat # getdevpolicy /dev/ipnat /dev/ipnat read_priv_set=net_rawaccess write_priv_set=net_rawaccess
Example 4-3 Removing Policy From a Device
In the following example, the read set of privileges is removed from the device policy for the ipnat device.
# getdevpolicy /dev/ipnat /dev/ipnat read_priv_set=net_rawaccess write_priv_set=net_rawaccess # update_drv -a -p write_priv_set=net_rawaccess ipnat # getdevpolicy /dev/ipnat /dev/ipnat read_priv_set=none write_priv_set=net_rawaccess
By default, the as audit class includes the AUE_MODDEVPLCY audit event.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in Oracle Solaris Administration: Basic Administration.
Add the as class to the flags line of the audit_control file. The file would appear similar to the following:
# audit_control file dir:/var/audit flags:lo,as minfree:20 naflags:lo
For detailed instructions, see How to Modify the audit_control File.
Applications that retrieve Oracle Solaris IP MIB-II information should open /dev/arp, not /dev/ip.
% getdevpolicy /dev/ip /dev/arp /dev/ip read_priv_set=net_rawaccess write_priv_set=net_rawaccess /dev/arp read_priv_set=none write_priv_set=none
Note that the net_rawaccess privilege is required for reading and writing to /dev/ip. No privileges are required for /dev/arp.
No privileges are required. This method is equivalent to opening /dev/ip and pushing the arp, tcp and udp modules. Because opening /dev/ip now requires a privilege, the /dev/arp method is preferred.