Re: Security Configuration Settings?

From: Marek Antozi (Marek.Antozi_at_Sun.COM)
Date: 09/23/04

  • Next message: Lupe Christoph: "Re: Security Configuration Settings?"
    Date: Thu, 23 Sep 2004 12:08:43 +0200 (CEST)
    To: El C0chin0 <mr.nasty@ix.netcom.com>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Tue, 21 Sep 2004, El C0chin0 wrote:
    >
    > I don't understand and haven't been able to find anything related to what
    > describes 'compat'. Can any one provide me with why it is a good measure to
    > change this from 'files' to 'compat' and what other changes may be necessary
    > or what exactly is the difference?
    >

    Hello El C0chin0.

    First I will answer your question about `compat' issue, below that answer you
    can find other things related to Sun Solaris security.

    Description of `compat' you can find in man page for nsswitch.conf.

    Quote:

    "compat Valid only for passwd and group; implements "+" and "-". See
    Interaction with +/- syntax."

    There is also section which described "+/- syntax":

    "Interaction with +/- syntax Releases prior to SunOS 5.0 did not have the
    name service switch but did allow the user some policy control. In
    /etc/passwd one could have entries of the form +user (include the
    specified user from NIS passwd.byname), -user (exclude the specified user)
    and + (include everything, except excluded users, from NIS passwd.byname).
    The desired behavior was often "everything in the file followed by
    everything in NIS", expressed by a solitary + at the end of /etc/passwd. The
    switch provides an alternative for this case ("passwd: files nis") that
    does not require + entries in /etc/passwd and /etc/shadow (the latter is a new
    addition to SunOS 5.0, see shadow(4)).

    If this is not sufficient, the NIS/YP compatibility source provides full +/-
    semantics. It reads /etc/passwd for getpwnam(3C) functions and /etc/shadow
    for getspnam(3C) functions and, if it finds +/- entries, invokes an appropri-
    ate source. By default, the source is "nis", but this may be overridden by
    specifying "nisplus" or "ldap" as the source for the pseudo-database
    passwd_compat.

    Note that for every /etc/passwd entry, there should be a corresponding entry
    in the /etc/shadow file. The NIS/YP compatibility source also provides full
    +/- semantics for group; the relevant pseudo-database is group_compat."

    Sun provides "Solaris Security Toolkit (JASS)", which is available to user for
    download at no cost. Be sure to check
    "http://wwws.sun.com/software/security/jass/". This toolkit provides a
    flexible and extensible mechanism to minimize, harden, and secure Solaris
    Operating Environment systems.

    If you are interested in securing your Solaris OS, be sure to check Sun
    BluePrints archives at
    "http://www.sun.com/blueprints/browsesubject.html#security".

    I hope this is helpful.

    Regards.

    - -Marek Antozi
    - --
    Senior System Administrator
    SUN Microsystems, Developer Platform Group
    Tel.: +420 2 3300-9126
    Fax.: +420 2 3300-9299
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (SunOS)
    Comment: For info see http://www.gnupg.org

    iD8DBQFBUqCwDfUZjsbiBSwRAu1GAKCZbYBABKKDo4iVkV3Bs+z5+ri5dQCfdVNN
    wleHHq6RrE5w7lBHfnsxZsA=
    =chAL
    -----END PGP SIGNATURE-----


  • Next message: Lupe Christoph: "Re: Security Configuration Settings?"

    Relevant Pages