I was recently handed a baseline policy that was to implemented for all users on the Solaris 10 systems that I support. \u00a0After a small amount of research I was able to find the various pieces that needed to be altered.<\/p>\n
After discussion between the security officer and the other management level staff, the following policy was decided upon:<\/p>\n
Most of the restrictions were fairly basic and could be easily accomplished. \u00a0The only one that I could find no mechanism for control of in Solaris 10 is the automatic unlock of an account after the specified 15 minute lockout. \u00a0While it is possible to determine when an account has been locked by looking at the timestamp in the syslog, there is no automated method for unlocking the account after a certain amount of time has elapsed. \u00a0I suppose it would be possible to write a script to check the entries in the shadow file then grep the syslog then do some math on the timestamp, but honestly I am not worried about it.<\/p>\n
The implementation process involves editing two files that are key to the functionality of user login security. \u00a0As always when altering system files it is a good idea to make backups of the originals in case things go wrong. \u00a0The files involved are:<\/p>\n
Generally the default on a Solaris 10 system is to set the account lockout to three password retries before an account is locked. \u00a0We decided to relax this a little and allow for five retries.<\/p>\n
The password complexity ruleset for Solaris 10 is fairly understandable. \u00a0The rules are defined in \/etc\/default\/passwd<\/strong> and the values to be tweaked are:<\/p>\n The desired policy decided upon was to require at least one number and one letter. \u00a0There was some discussion about special characters, but it was decided to not require any special characters for normal user accounts. \u00a0Given these requirements the following process is used to implement the complexity ruleset:<\/p>\n Configuring account lockouts and password complexity is a great start, however it is not the complete picture. \u00a0While reasonable complexity rules will allow users to set passwords that they can readily remember, and a flexible lockout value will give some room for fumble fingers, if users are not required to change their passwords every so often then the security of the system can suffer as well.<\/p>\n You also should consider password length. \u00a0A shorter password, regardless of complexity, is going to be easier to crack from an algorithmic standpoint. \u00a0This is simply due to the mathematical requirements. \u00a0The problem is that user\u2019s tend to not like long passwords. \u00a0As you increase the password length, you increase the likelihood the passwords will use dictionary words (we can account for that as well).<\/p>\n The agreed upon setting for normal users on our systems was 180 days. \u00a0Unfortunately Solaris 10 uses a setting measured in weeks and not days. \u00a0What this means is that the setting will have to be slightly longer. \u00a0The password length was decided to be at least 8 characters and no longer than 20 characters. \u00a0Also, Solaris 10 has no setting to enable a maximum password length.<\/p>\n The default algorithm used for passwords under Solaris 10 is crypt_unix. \u00a0This algorithm is not considered sufficiently secure, even by Oracle. \u00a0You should investigate using a different algorithm such as MD5 or Blowfish instead. \u00a0The default will not allow for passwords that are longer than 8 characters. \u00a0You can set the password to be longer, but all characters after the eighth position will be discarded during the authentication check process.<\/p>\n Changes to the password expiration policy is not immediately retroactive. \u00a0For the expiration requirements to take effect on existing accounts you will need to initiate a manual password change for the shadow file entry to be updated.<\/p>\n When Solaris 10 was introduced one of the changes made to PAM was the ability to use a comma-delimited list of dictionary files to avoid usage of common words during password selection. \u00a0This can be configured with the DICTIONLIST<\/strong> variable in the \/etc\/default\/passwd<\/strong> file.<\/p>\n While this is not the default, you can apply the lockout rule to the root user account by editing the \/etc\/user_attr<\/strong> file and changing the lock_after_retries<\/strong> value for this user to yes. \u00a0Be warned this is not recommended since a locked account can only be unlocked by the root user. \u00a0If your root level account becomes locked then you will need to have an account that allows sudo access or you will end up going to some extreme lengths to re-enable access to the system.<\/p>\n","protected":false},"excerpt":{"rendered":" I was recently handed a baseline policy that was to implemented for all users on the Solaris 10 systems that I support. After a small amount of research I was able to find the various pieces that needed to be altered.<\/p>\n Desired Policy <\/p>\n After discussion between the security officer and the other management level staff, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[39],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2972"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2972"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2972\/revisions"}],"predecessor-version":[{"id":2973,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2972\/revisions\/2973"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
\n
MINDIFF=3\r\nMINALPHA=1\r\n#MINNONALPHA=1\r\n#MINUPPER=1\r\n#MINLOWER=1\r\nMAXREPEATS=0\r\n#MINSPECIAL=0\r\nMINDIGIT=1\r\nWHITESPACE=YES<\/pre>\n
Setting the password expiration and length rules<\/h4>\n
\n
Important Notes and Considerations<\/h3>\n
Password Length<\/h4>\n
Retroactive Usage<\/h4>\n
Dictionary Words<\/h4>\n
Applying lockout to the root user<\/h4>\n