Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: March 2019
 
 

How to Modify policy.conf Defaults

Changing the policy.conf defaults in Trusted Extensions is identical to changing any security-relevant system file in Oracle Solaris. Use this procedure to change the defaults for all users of a system.

If you are using the account-policy SMF stencil and config/etc_security_policyconf is enabled, then system-wide security policy is determined by the rbac/* SMF properties, not by the variables in the policy.conf file. For examples of viewing and changing account-policy properties, see the procedures in Modifying Rights System-Wide As SMF Properties in Securing Users and Processes in Oracle Solaris 11.4. See also the account-policy(8S) man page.

Before You Begin

You must be in the root role in the global zone.

  1. Review the default settings in the /etc/security/policy.conf file.

    For Trusted Extensions keywords, see Figure 13, Table 13, Trusted Extensions Security Defaults in policy.conf File.

  2. Modify the settings.
    # pfedit /etc/security/policy.conf
Example 12  Changing the System's Idle Settings

In this example, the security administrator wants idle systems to return to the login screen. The default locks an idle system. Therefore, the root role adds the IDLECMD keyword=value pair to the /etc/security/policy.conf file as follows:

IDLECMD=LOGOUT

The administrator also wants systems to be idle a shorter amount of time before logout. Therefore, the root role adds the IDLETIME keyword=value pair to the policy.conf file as follows:

IDLETIME=10

The system now logs out the user after the system is idle for 10 minutes.

Note that if the login user assumes a role, the user's IDLECMD and IDLETIME values are in effect for that role.

Example 13  Modifying Every User's Basic Privilege Set

In this example, the security administrator of a central server does not want its users to view the processes of other users. Therefore, on every system that is configured with Trusted Extensions, the root role removes proc_info from the basic set of privileges.

The PRIV_DEFAULT setting in the /etc/policy.conf file is uncommented and modified as follows:

PRIV_DEFAULT=basic,!proc_info
Example 14  Assigning Printing-Related Authorizations to All Users of a System

In this example, site security permits a public kiosk computer to print without labels. On the public kiosk, the root role modifies the value for AUTHS_GRANTED in the /etc/security/policy.conf file. At the next boot, print jobs by all users of this kiosk print without page labels.

AUTHS_GRANTED=solaris.print.unlabeled

Then, the administrator decides to save paper by removing banner and trailer pages. The administrator further modifies the policy.conf entry.

AUTHS_GRANTED=solaris.print.unlabeled,solaris.print.nobanner

After the public kiosk is rebooted, all print jobs are unlabeled, and have no banner or trailer pages.