How to Change Security Defaults in System Files

Language:

Files in the /etc/security and /etc/default directories contain security values. For more information, see Chapter 3, Controlling Access to Systems in Securing Systems and Attached Devices in Oracle Solaris 11.4.

Note - If you are using the account-policy SMF stencil and the group property for a security attribute is enabled, then security policy is determined by the SMF property. The value in an /etc file is not used. For examples of viewing and changing account-policy properties, see the procedures in Modifying Rights System-Wide As SMF Properties in Securing Users and Processes in Oracle Solaris 11.4. See also the account-policy(8S) man page.

Caution - Relax system security defaults only if site security policy allows you to.

Before You Begin

You are in the global zone and are assigned the solaris.admin.edit/filename authorization. By default, the root role has this authorization.

Edit the system file.

The following table lists the security files and which security values you might change in the files. The first two files are unique to Trusted Extensions.

File	Task	For More Information
`/etc/default/login`	Reduce the allowed number of password tries.	See the `passwd`(1) man page. Note - If `account-policy` is enabled and `config/etc_default_login` is enabled, this file is not used. See the preceding note and the `account-policy`(8S) man page.
`/etc/default/kbd`	Disable keyboard shutdown.	See How to Disable a System’s Abort Sequence in Securing Systems and Attached Devices in Oracle Solaris 11.4. Note - On hosts that are used by administrators for debugging, the default setting for `KEYBOARD_ABORT` allows access to the `kadb` kernel debugger. `kadb`(8) man page
`/etc/security/policy.conf`	Require a more powerful algorithm for user passwords. Remove a basic privilege from all users of this host. Restrict users of this host to Basic Solaris User authorizations.	See the `policy.conf`(5) man page. Note - If `account-policy` is enabled and `config/etc_default_login` and `config/etc_security_policyconf` are enabled, this file is not used. See the preceding note and the `account-policy`(8S) man page.
`/etc/default/passwd`	Require users to change passwords frequently. Require users to create maximally different passwords. Require a longer user password. Require a password that cannot be found in your dictionary.	See the `passwd`(1) man page. Note - If `account-policy` is enabled and `config/etc_default_passwd` is enabled, this file is not used. See the preceding note and the `account-policy`(8S) man page.