JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: Security Services     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

Controlling Access to a Computer System

Maintaining Physical Security

Maintaining Login Control

Managing Password Information

Password Encryption

Special System Accounts

Remote Logins

Controlling Access to Devices

Device Policy (Overview)

Device Allocation (Overview)

Controlling Access to Machine Resources

Limiting and Monitoring Superuser

Configuring Role-Based Access Control to Replace Superuser

Preventing Unintentional Misuse of System Resources

Setting the PATH Variable

Assigning a Restricted Shell to Users

Restricting Access to Data in Files

Restricting setuid Executable Files

Using the Secure by Default Configuration

Using Resource Management Features

Using Oracle Solaris Zones

Monitoring Use of Machine Resources

Monitoring File Integrity

Controlling Access to Files

Protecting Files With Encryption

Using Access Control Lists

Sharing Files Across Machines

Restricting root Access to Shared Files

Controlling Network Access

Network Security Mechanisms

Authentication and Authorization for Remote Access

Firewall Systems

Encryption and Firewall Systems

Reporting Security Problems

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Using the Basic Audit Reporting Tool (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Network Services Authentication (Tasks)

15.  Using PAM

16.  Using SASL

17.  Using Secure Shell (Tasks)

18.  Secure Shell (Reference)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)

Glossary

Index

Controlling Access to a Computer System

In the workplace, all computers that are connected to a server can be thought of as one large multifaceted system. You are responsible for the security of this larger system. You need to defend the network from outsiders who are trying to gain access. You also need to ensure the integrity of the data on the computers within the network.

At the file level, Oracle Solaris provides standard security features that you can use to protect files, directories, and devices. At the system and network levels, the security issues are mostly the same. The first line of security defense is to control access to your system.

You can control and monitor system access by doing the following:

Maintaining Physical Security

To control access to your system, you must maintain the physical security of your computing environment. For instance, a system that is logged in and left unattended is vulnerable to unauthorized access. An intruder can gain access to the operating system and to the network. The computer's surroundings and the computer hardware must be physically protected from unauthorized access.

You can protect a SPARC system from unauthorized access to the hardware settings. Use the eeprom command to require a password to access the PROM. For more information, see How to Require a Password for Hardware Access. To protect x86 hardware, consult the vendor documentation.

Maintaining Login Control

You also must prevent unauthorized logins to a system or the network, which you can do through password assignment and login control. All accounts on a system must have a password. A password is a simple authentication mechanism. An account without a password makes your entire network accessible to an intruder who guesses a user name. A strong password algorithm protects against brute force attacks.

When a user logs in to a system, the login command checks the appropriate naming service or directory service database according to the information in the name switch service, svc:/system/name-service/switch. The following databases can affect login:

For a description of the naming service, see the nscd(1M) man page. For information about naming services and directory services, see the Oracle Solaris Administration: Naming and Directory Services.

The login command verifies the user name and password that were supplied by the user. If the user name is not in the password database, the login command denies access to the system. If the password is not correct for the user name that was specified, the login command denies access to the system. When the user supplies a valid user name and its corresponding password, the system grants the user access to the system.

PAM modules can streamline login to applications after a successful system login. For more information, see Chapter 15, Using PAM.

Sophisticated authentication and authorization mechanisms are available on Oracle Solaris systems. For a discussion of authentication and authorization mechanisms at the network level, see Authentication and Authorization for Remote Access.

Managing Password Information

When users log in to a system, they must supply both a user name and a password. Although logins are publicly known, passwords must be kept secret. Passwords should be known only to each user. Users must choose their passwords carefully and change them often.

Passwords are initially created when you set up a user account. To maintain security on user accounts, you can set up password aging to force users to routinely change their passwords. You can also disable a user account by locking the password. For detailed information about administering passwords, see Chapter 2, Managing User Accounts and Groups (Overview), in Oracle Solaris Administration: Common Tasks and the passwd(1) man page.

Local Passwords

If your network uses local files to authenticate users, the password information is kept in the system's /etc/passwd and /etc/shadow files. The user name and other information are kept in the /etc/passwd file. The encrypted password itself is kept in a separate shadow file, /etc/shadow. This security measure prevents a user from gaining access to the encrypted passwords. While the /etc/passwd file is available to anyone who can log in to a system, only superuser can read the /etc/shadow file. You can use the passwd command to change a user's password on a local system.

NIS Passwords

If your network uses NIS to authenticate users, password information is kept in the NIS password map. NIS does not support password aging. You can use the command passwd -r nis to change a user's password that is stored in an NIS password map.

LDAP Passwords

The Oracle Solaris LDAP naming service stores password information and shadow information in the ou=people container of the LDAP directory tree. On the Oracle Solaris LDAP naming service client, you can use the passwd -r ldap command to change a user's password. The LDAP naming service stores the password in the LDAP repository.

Password policy is enforced on the Oracle Directory Server Enterprise Edition. Specifically, the client's pam_ldap module follows the password policy controls that are enforced on the Oracle Directory Server Enterprise Edition. For more information, see LDAP Naming Services Security Model in Oracle Solaris Administration: Naming and Directory Services.

Password Encryption

Strong password encryption provides an early barrier against attack. Oracle Solaris software provides six password encryption algorithms. The Blowfish, MD5, and SHA algorithms provide more robust password encryption than the UNIX algorithm.

Password Algorithm Identifiers

You specify the algorithms configuration for your site in the /etc/security/policy.conf file. In the policy.conf file, the algorithms are named by their identifier, as shown in the following table. For the identifier-algorithm mapping, see the /etc/security/crypt.conf file.

Table 2-1 Password Encryption Algorithms

Identifier
Description
Algorithm Man Page
1
The MD5 algorithm that is compatible with MD5 algorithms on BSD and Linux systems.
2a
The Blowfish algorithm that is compatible with the Blowfish algorithm on BSD systems.
md5
The Sun MD5 algorithm, which is considered stronger than the BSD and Linux version of MD5.
5
The SHA256 algorithm. SHA stands for Secure Hash Algorithm. This algorithm is a member of the SHA-2 family. SHA256 supports 255-character passwords.
6
The SHA512 algorithm.
__unix__
The traditional UNIX encryption algorithm.
Algorithms Configuration in the policy.conf File

The following shows the default algorithms configuration in the policy.conf file:

#
…
# crypt(3c) Algorithms Configuration
#
# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed
to
# be used for new passwords.  This is enforced only in crypt_gensalt(3c).
#
CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6

# To deprecate use of the traditional unix algorithm, uncomment below
# and change CRYPT_DEFAULT= to another algorithm.  For example,
# CRYPT_DEFAULT=1 for BSD/Linux MD5.
#
#CRYPT_ALGORITHMS_DEPRECATE=__unix__

# The Oracle Solaris default is a SHA256 based algorithm.  To revert to
# the policy present in Solaris releases set CRYPT_DEFAULT=__unix__,
# which is not listed in crypt.conf(4) since it is internal to libc.
#
CRYPT_DEFAULT=5
…

When you change the value for CRYPT_DEFAULT, the passwords of new users are encrypted with the algorithm that is associated with the new value.

When existing users change their passwords, how their old password was encrypted affects which algorithm is used to encrypt the new password. For example, assume that CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6, and CRYPT_DEFAULT=1. The following table shows which algorithm would be used to generate the encrypted password.

Identifier = Password Algorithm
Explanation
Initial Password
Changed Password
1 = crypt_bsdmd5
Uses same algorithm
The 1 identifier is also the value of CRYPT_DEFAULT. The user's password continues to be encrypted with the crypt_bsdmd5 algorithm.
2a = crypt_bsdbf
Uses same algorithm
The 2a identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password is encrypted with the crypt_bsbdf algorithm.
md5 = crypt_md5
Uses same algorithm
The md5 identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password is encrypted with the crypt_md5 algorithm.
5 = crypt_sha256
Uses same algorithm
The 5 identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password is encrypted with the crypt_sha256 algorithm.
6 = crypt_sha512
Uses same algorithm
The 6 identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password is encrypted with the crypt_sha512 algorithm.
__unix__ = crypt_unix
Uses crypt_bsdmd5 algorithm
The __unix__ identifier is not in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the crypt_unix algorithm cannot be used. The new password is encrypted with the CRYPT_DEFAULT algorithm.

For more information about configuring the algorithm choices, see the policy.conf(4) man page. To specify password encryption algorithms, see Changing the Default Algorithm for Password Encryption (Tasks).

Special System Accounts

The root account is one of several special system accounts. Of these accounts, only the root account is assigned a password and can log in. The nuucp account can log in for file transfers. The other system accounts either protect files or run administrative processes without using the full powers of root.


Caution

Caution - Never change the password setting of a system account. System accounts from Oracle Solaris are delivered in a safe and secure state.


The following table lists some system accounts and their uses. The system accounts perform special functions. Each account has a UID that is less than 100.

Table 2-2 System Accounts and Their Uses

System Account
UID
Use
root
0
Has almost no restrictions. Can override other protections and permissions. The root account has access to the entire system. The password for the root login should be very carefully protected. The root account, owns most of the Oracle Solaris commands.
daemon
1
Controls background processing.
bin
2
Owns some Oracle Solaris commands.
sys
3
Owns many system files.
adm
4
Owns some administrative files.
lp
71
Owns the object data files and spooled data files for the printer.
uucp
5
Owns the object data files and spooled data files for UUCP, the UNIX-to-UNIX copy program.
nuucp
9
Is used by remote systems to log in to the system and start file transfers.

Remote Logins

Remote logins offer a tempting avenue for intruders. Oracle Solaris provides several commands to monitor, limit, and disable remote logins. For procedures, see Securing Logins and Passwords (Task Map).

By default, remote logins cannot gain control or read certain system devices, such as the system mouse, keyboard, frame buffer, or audio device. For more information, see the logindevperm(4) man page.