In this section, you change the default umask value for all users, prevent malicious login attempts by limiting failed logins, and remove the ability of console users to shut down the system. You can limit failed login attempts per system, per user, or through a rights profile. For a discussion of password constraints, see Passwords and Password Policy in Oracle Solaris 11.4 Security and Hardening Guidelines.
This section assumes that you have completed New Feature – Enabling the account-policy Service.
Security attributes that are properties of the config/etc_default_login stencil of the account-policy service include:
$ svcprop -p login/environment account-policy:default login/environment/path astring login/environment/root_path astring login/environment/set_shell boolean login/environment/timezone astring login/environment/ulimit integer login/environment/umask integer
For an example, see How to Set a More Restrictive umask Value for All Logins. See also the account-policy(8S) man page.
In this procedure, you change the default umask value for all users. The umask utility sets the file permission bits of user-created files. If the default umask value, 022, is not restrictive enough, set a more restrictive mask by using this procedure.
Before You Begin
You have completed New Feature – Enabling the account-policy Service. You must become an administrator who is assigned the User Security rights profile. The root role is assigned this profile. For more information, see Using Your Assigned Administrative Rights.
umask 026 – Provides moderate file protection
(751) – r for group, x for others
umask 027 – Provides strict file protection
(750) – r for group, no access for others
umask 077 – Provides complete file protection
(700) – No access for group or others
$ svcprop account-policy | grep umask login/environment/umask integer
$ pfbash svccfg -s account-policy svc:/.../account-policy> setprop config/etc_default_login/disabled = boolean: false svc:/.../account-policy> setprop login/environment/umask = 026 svc:/.../account-policy> exit $ svcadm refresh account-policy
See Also
For more information, see the following:
Default umask Value in Securing Files and Verifying File Integrity in Oracle Solaris 11.4
Selected man pages include useradd(8), account-policy(8S), and umask(1).