Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: December 2017
 
 

How to Modify policy.conf Defaults

Changing the policy.conf defaults in Trusted Extensions is identical to changing any security-relevant system file in Oracle Solaris. Use this procedure to change the defaults for all users of a system.

Before You Begin

You must be in the root role in the global zone. For details, see How to Enter the Global Zone in Trusted Extensions.

  1. Review the default settings in the /etc/security/policy.conf file.

    For Trusted Extensions keywords, see Figure 16, Table 16, Trusted Extensions Security Defaults in policy.conf File.

  2. Modify the settings.
    # pfedit /etc/security/policy.conf
Example 12  Changing the System's Idle Settings

In this example, the security administrator wants idle systems to return to the login screen. The default locks an idle system. Therefore, the root role adds the IDLECMD keyword=value pair to the /etc/security/policy.conf file as follows:

IDLECMD=LOGOUT

The administrator also wants systems to be idle a shorter amount of time before logout. Therefore, the root role adds the IDLETIME keyword=value pair to the policy.conf file as follows:

IDLETIME=10

The system now logs out the user after the system is idle for 10 minutes.

Note that if the login user assumes a role, the user's IDLECMD and IDLETIME values are in effect for that role.

Example 13  Modifying Every User's Basic Privilege Set

In this example, the security administrator of a large Sun Ray installation does not want regular users to view the processes of other Sun Ray users. Therefore, on every system that is configured with Trusted Extensions, the root role removes proc_info from the basic set of privileges. The PRIV_DEFAULT setting in the /etc/policy.conf file is uncommented and modified as follows:

PRIV_DEFAULT=basic,!proc_info
Example 14  Assigning Printing-Related Authorizations to All Users of a System

In this example, site security permits a public kiosk computer to print without labels. On the public kiosk, the root role modifies the value for AUTHS_GRANTED in the /etc/security/policy.conf file. At the next boot, print jobs by all users of this kiosk print without page labels.

AUTHS_GRANTED=solaris.print.unlabeled

Then, the administrator decides to save paper by removing banner and trailer pages. The administrator further modifies the policy.conf entry.

AUTHS_GRANTED=solaris.print.unlabeled,solaris.print.nobanner

After the public kiosk is rebooted, all print jobs are unlabeled, and have no banner or trailer pages.