This chapter is from the book
This chapter is from the book
This chapter is from the book
Miscellaneous Configuration
The following configuration items apply to both local and remote security.
The /etc/issue File
The contents of the /etc/issue file are displayed on the console during login and for incoming Telnet connections. It is often used to display information about the system or network. This file should contain warnings about inappropriate and unauthorized use of the system. It should warn users that their sessions and accounts may be monitored for illegal or inappropriate use. Consult your legal counsel for more information.
Here is the legal warning found in the Solaris Security Toolkit:
# This system is for the use of authorized users only. # Individuals using this computer system without authority, or in # excess of their authority, are subject to having all of their # activities on this system monitored and recorded by system # personnel. # # In the course of monitoring individuals improperly using this # system, or in the course of system maintenance, the activities # of authorized users may also be monitored. # # Anyone using this system expressly consents to such monitoring # and is advised that if such monitoring reveals possible # evidence of criminal activity, system personnel may provide the # evidence of such monitoring to law enforcement officials.
The message of the day file (/etc/motd) can be used to display warnings.
Pluggable Authentication Module (PAM)
The Pluggable Authentication Module (PAM) architecture provides authentication, account management, session management, and password management mechanisms to applications in modular form. All the Solaris OE authentication applications use the PAM system to authenticate users and manage accounts. Each PAM module can be implemented as a shared library object. The configuration file for the PAM system is /etc/pam.conf.
The PAM system exists to provide system programmers the ability to replace the methods used to manage accounts and users. For example, it may be desirable to limit the time periods that a group of users is allowed to be logged into a system. To implement this feature, a PAM module can be written to restrict users in this way without having to replace the authentication programs.
To disable a specific log-in method, remove or comment out its entry in the PAM configuration file. The rlogin and rsh services use inadequate authentication for security and should be replaced with an SSH protocol system such as ssh or OpenSSH. Comment out the following lines in /etc/pam.conf:
rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1 rsh auth required [ccc]/usr/lib/security/pam_rhosts_auth.so.1
If you disable the PAM configuration for rlogin and rsh services, also remove them from the /etc/inet/inetd.conf file. See the next section for more information.
Be careful when editing the /etc/pam.conf file. Errors will prevent all PAM services from operating and users will not be able to log in. To correct the problem, the system must be booted into single-user mode. Also, do not change the original ownership or file permissions of the /etc/pam.conf, because this will prevent PAM from operating and prevent users from logging into the system.
The login Command
The login command is part of the authentication process to access a local Solaris OE account. It is used on the console and by the in.telnetddaemon to determine if a user may be granted access to the system. By default, the rootuser can only log into a Solaris OE system from the console device. The console device is defined by the following entry in the /etc/default/login file:
CONSOLE=/dev/console
When this line is commented out, the root account can log directly into the system over the network via telnet in addition to the console. This is not secure and should be avoided. Do not alter the default configuration.
There are two other potential settings for CONSOLEentry in /etc/default/login. The following entry in /etc/default/login permits only root log-in through the ttya serial device:
CONSOLE=/dev/ttya
If direct root log-ins are to be disallowed entirely, the following CONSOLE entry should be made in /etc/default/login:
The recommended configuration is the default—where root log-ins are only permitted on the console.