Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018

New Feature – Enabling the account-policy Service

In Oracle Solaris 11.4, you can set the default rights for a system in SMF.

In legacy systems, you edited files in the /etc directory. When you use SMF, properties of the account-policy indicate the current policies. The security policies are grouped into four stencils:

  • config/etc_security_policyconf
  • config/etc_default_login
  • config/etc_default_passwd
  • config/etc_default_su

When you enable a stencil, you are then able to modify the security attributes that are in that stencil.

  1. To enable the service and verify that it is in effect, run the following commands:

    $ pfexec svcadm enable account-policy
    $ svcs account-policy
    STATE          STIME    FMRI
    online         0:10:00  svc:/system/account-policy:default
  2. Then, you enable the security attribute to be changed and then change its value to your site policy.

    $ pfbash svccfg -s account-policy  \
     setprop config/etc_security-stencil/disabled = boolean: false 
     $ svccfg -s account-policy:default  \
     setprop security-stencil-group/property = [type:] value
    $ svcadm refresh account-policy

Note -  When the account-policy: default SMF service is online, changes to the legacy files, such as /etc/default/login, no longer affect the rights that the system enforces. Similarly, the contents of the files might not reflect current policy.

For a list of security attributes that you can modify system-wide, see Security Attributes in Files and Their Corresponding SMF Properties.