This section highlights information for existing customers about important new features in user rights, also called role-based access control (RBAC) and new features in process rights, also called privileges.
Oracle Solaris puts labels on data and user processes. This feature provides data loss protection for directories and information that site security requires to have special protections. While labeling is always on, it does not change the behavior of the system until the administrator configures a labeling hierarchy, applies labels to particular files and directories, and enables trusted users to run labeled processes.
The minimum password length is 8 characters instead of 6. For more information, see the passwd(1) man page.
/etc/security/policy.conf /etc/default/login /etc/default/passwd /etc/default/su
The attributes and their values are loaded and managed as SMF services when the svc:/system/account-policy:default service is online and the security attributes from a legacy /etc file are enabled, for example, all security attributes from the /etc/default/su file.
For more information, see the account-policy(8S) man page, Modifying System-Wide Privileges, Authorizations, and Rights Profiles, and Security Attributes in Files and Their Corresponding SMF Properties.
You can administer an immutable zone over a remote RAD interface. For more information, see Administering Immutable Zones.
The user_attr database includes additional security attributes.
By enabling the login_policy/annotation=value security attribute in the account-policy SMF stencil or by setting the value in a user account, the administrator can require (yes) or request (optional) that users annotate the purpose of their login. The annotation is added to the audit record for the login event. If the account-policy service is not enabled, the value can be set system-wide in the policy.conf file.
For more information, see New Feature – Annotating Reason for Access in the Audit Record in Managing Auditing in Oracle Solaris 11.4 and the pam_unix_cred(7) and account-policy(8S) man pages.
By enabling the login_policy/auto_unlock_time=time security attribute in the account-policy SMF stencil or by setting the value in a user account, the administrator can specify the time after which a successful authentication automatically unlocks a locked account. Administrators can specify the time as a number of minutes, hours, days, or weeks. If the account-policy service is not enabled, the value can be set system-wide in the policy.conf file.
If a time for this attribute is not specified, the administrator must explicitly unlock the account, as shown in How to Set Account Locking for Regular Users.
Oracle Solaris provides the pam_otp_auth PAM module for processing one-time passwords (OTP). OTPs provide a second authentication step before login. The package that installs the module also installs two PAM stacks in the /etc/security/pam_policy directory. For more information, see Task Map: Using OTP in Oracle Solaris in Managing Authentication in Oracle Solaris 11.4.
Oracle Solaris provides the pam_pkcs11 PAM module for managing smart card authentication. Smart cards enable users to log in only if they 1) possess a smart card that is recognized by the login server and 2) can supply the correct PIN. For more information, see Chapter 3, Using Smart Cards for Multifactor Authentication in Oracle Solaris in Managing Authentication in Oracle Solaris 11.4.