Users are assigned a basic set of privileges, rights profiles, and authorizations from the /etc/security/policy.conf file, similar to the initial user as described in System Access Is Limited and Monitored. These rights are configurable. You can deny basic rights and increase the rights for a user.
Oracle Solaris protects users with flexible complexity requirements for passwords, authentication that is configurable for different site requirements, and user rights management, which uses rights profiles, authorizations, and privileges to limit and distribute administrative rights to trusted users. Additionally, special shared accounts called roles assign the user just those administrative rights when the user assumes the role. The ARMOR package provides predefined roles. For more information, see Using ARMOR Roles in Securing Users and Processes in Oracle Solaris 11.3.
Your password change policy should follow industry standards. System administration logins, such as root, must be carefully controlled. Administration should be through roles, users with rights profiles, or sudo. These administrative methods use least privilege and write administrative events to the audit trail.
For more information, see the following:
Controlling Logins in Securing Systems and Attached Devices in Oracle Solaris 11.3
Securing Logins and Passwords in Securing Systems and Attached Devices in Oracle Solaris 11.3
Selected man pages include passwd(1) and crypt.conf(4).
The Pluggable Authentication Module (PAM) framework enables administrators to coordinate and configure user authentication requirements for accounts, credentials, sessions, and passwords without modifying the services that require authentication.
The PAM framework enables organizations to customize the user authentication experience as well as account, session, and password management functionality. System entry services such as login and ssh use the PAM framework to secure all entry points for the freshly installed system. PAM enables the replacement or modification of authentication modules in the field to secure the system against any newly found weaknesses without requiring changes to any system services that use the PAM framework.
Oracle Solaris delivers a broad set of PAM modules and configurations to meet most site policies. For more information, see the following:
Writing Applications That Use PAM Services in Developer’s Guide to Oracle Solaris 11.3 Security
pam.conf(4) man page
User rights in Oracle Solaris are governed by the security principle of least privilege. Organizations can selectively grant administrative rights to users or roles according to the unique needs and requirements of the organization. They can also deny rights to users when required. Rights are implemented as privileges on processes and authorizations on users or SMF methods. Rights profiles provide a convenient way to collect privileges and authorizations into a bundle of related rights.
For more information, see the following:
Selected man pages include auths(1), privileges(5). profiles(1), rbac(5), roleadd(1M), roles(1), and user_attr(4).