Trusted Extensions Configuration and Administration

Exit Print View

 
Updated: July 2014
 
 

How to Modify policy.conf Defaults

Changing the policy.conf defaults in Trusted Extensions is identical to changing any security-relevant system file in Oracle Solaris. Use this procedure to change the defaults for all users of a system.

Before You Begin

You must be in the root role in the global zone. For details, see How to Enter the Global Zone in Trusted Extensions.

  1. Review the default settings in the /etc/security/policy.conf file.

    For Trusted Extensions keywords, see Table 10–1.

  2. Modify the settings. 
    # pfedit /etc/security/policy.conf
Example 11-1  Changing the System's Idle Settings

In this example, the security administrator wants idle systems to return to the login screen. The default locks an idle system. Therefore, the root role adds the IDLECMD keyword=value pair to the /etc/security/policy.conf file as follows:

IDLECMD=LOGOUT

The administrator also wants systems to be idle a shorter amount of time before logout. Therefore, the root role adds the IDLETIME keyword=value pair to the policy.conf file as follows:

IDLETIME=10

The system now logs out the user after the system is idle for 10 minutes.

Note that if the login user assumes a role, the user's IDLECMD and IDLETIME values are in effect for that role.

Example 11-2  Modifying Every User's Basic Privilege Set

In this example, the security administrator of a large Sun Ray installation does not want regular users to view the processes of other Sun Ray users. Therefore, on every system that is configured with Trusted Extensions, the root role removes proc_info from the basic set of privileges. The PRIV_DEFAULT setting in the /etc/policy.conf file is uncommented and modified as follows:

PRIV_DEFAULT=basic,!proc_info
Example 11-3  Assigning Printing-Related Authorizations to All Users of a System

In this example, site security permits a public kiosk computer to print without labels. On the public kiosk, the root role modifies the value for AUTHS_GRANTED in the /etc/security/policy.conf file. At the next boot, print jobs by all users of this kiosk print without page labels.

AUTHS_GRANTED=solaris.print.unlabeled

Then, the administrator decides to save paper by removing banner and trailer pages. The administrator further modifies the policy.conf entry.

AUTHS_GRANTED=solaris.print.unlabeled,solaris.print.nobanner

After the public kiosk is rebooted, all print jobs are unlabeled, and have no banner or trailer pages.

Copyright © 1992, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next