Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: March 2019
 
 

How to Change Security Defaults in System Files

Files in the /etc/security and /etc/default directories contain security values. For more information, see Chapter 3, Controlling Access to Systems in Securing Systems and Attached Devices in Oracle Solaris 11.4.


Note -  If you are using the account-policy SMF stencil and the group property for a security attribute is enabled, then security policy is determined by the SMF property. The value in an /etc file is not used. For examples of viewing and changing account-policy properties, see the procedures in Modifying Rights System-Wide As SMF Properties in Securing Users and Processes in Oracle Solaris 11.4. See also the account-policy(8S) man page.

Caution

Caution  -  Relax system security defaults only if site security policy allows you to.


Before You Begin

You are in the global zone and are assigned the solaris.admin.edit/filename authorization. By default, the root role has this authorization.

  • Edit the system file.

    The following table lists the security files and which security values you might change in the files. The first two files are unique to Trusted Extensions.

    File
    Task
    For More Information
    /etc/default/login
    Reduce the allowed number of password tries.
    See the passwd(1) man page.

    Note -  If account-policy is enabled and config/etc_default_login is enabled, this file is not used. See the preceding note and the account-policy(8S) man page.

    /etc/default/kbd
    Disable keyboard shutdown.

    Note -  On hosts that are used by administrators for debugging, the default setting for KEYBOARD_ABORT allows access to the kadb kernel debugger.

    kadb(8) man page
    /etc/security/policy.conf
    Require a more powerful algorithm for user passwords.
    Remove a basic privilege from all users of this host.
    Restrict users of this host to Basic Solaris User authorizations.
    See the policy.conf(5) man page.

    Note -  If account-policy is enabled and config/etc_default_login and config/etc_security_policyconf are enabled, this file is not used. See the preceding note and the account-policy(8S) man page.

    /etc/default/passwd
    Require users to change passwords frequently.
    Require users to create maximally different passwords.
    Require a longer user password.
    Require a password that cannot be found in your dictionary.
    See the passwd(1) man page.

    Note -  If account-policy is enabled and config/etc_default_passwd is enabled, this file is not used. See the preceding note and the account-policy(8S) man page.