Print-friendly Version

The Basic Security Module (BSM) is a built-in security feature of the Solaris Operating Environment. It secures a Solaris system by physically limiting what a user can do, and monitoring what a user does once he or she logs into the machine.

The BSM can be enabled and disabled using two Bourne shell scripts located in /etc/security:

• bsmconv
• bsmunconv

When run, bsmconv accomplishes four main tasks:

1. Enables system and kernel auditing (lines 75 - 88)
2. Disables Volume Management (lines 101 - 119)
3. Alters the kernel with two entries in /etc/system (lines 121 - 141)
4. Creates two configuration files to be used by the allocate binary executable (lines 143 - 154)

Note: for any of the changes to take effect, the system must be rebooted.

System auditing, in part, is enabled via the command auditconfig. auditconfig provides root with the ability to get and set kernel audit parameters. The exact syntax of the bsmconv script reads:

    83 #!/bin/sh 

    84 auditconfig -conf 

    85 auditconfig -setpolicy none 

    86 auditconfig -setpolicy +cnt

Line 84 calls auditconfig with the -conf argument. This argument tells auditconfig to configure kernel auditing such that kernel and user events are mapped to classes. These classes are defined in the /etc/security/audit_class file. Kernel and user events are then assigned to these classes in the /etc/security/audit_event file. If a defined audit class is assigned to a user in /etc/security/audit_user, then a record of executed commands that are grouped into this class will be stored for the specific user.

The execution of auditconfig -conf in bsmconv prepares the system to keep track of user executed commands based on a defined class structure. Commands are mapped to events, and events are mapped to classes. Users can be monitored based on these event classes.

Lines 85 and 86 turn off all auditconfig policies (-setpolicy none). Then auditconfig is configured to disable audit suspension if audit resources are exhausted (-setpolicy +cnt). auditconfig will then drop any audit records that cannot be stored and keep a numeric count of the number of dropped records. Audit records are stored in /var/audit. This location can be customized in /etc/security/audit_control. The script audit_warn, in /etc/security, will notify the system console if audit resources are dangerously low (that is, if the /var file system is running out of space).

Volume management is disabled by moving the S92volmgt script from /etc/rc2.d. The exact line from bsmconv reads:

   118 mv ${ROOT}/etc/rc2.d/S92volmgt 
${ROOT}/etc/security/spool/S92volmgt  

This file move simply disables the vold daemon from starting at boot time, during run level two. A machine that does not allow a user to automatically mount a CD-ROM is thought to be more secure. It prevents a user from inserting personal, untested, and possibly insecure files, as well as binary executables.

The kernel is altered by adding two entries to the /etc/system file. Lodged between a number of conditional statements and searching statements, two lines are echoed to the system file:

    131 echo "set c2audit:audit_load = 1" >> /tmp/etc.system.$$ 
    132 echo "set abort_enable = 0" >> /tmp/etc.system.$$ 

Line 132 disables the "Stop-a" keyboard sequence. Without this line in /etc/system, any user can halt the system with the aforementioned keyboard sequence.

Line 131 enables auditing in the kernel and on the system. A value of 1 enables c2 auditing, while a value of 0 would disable it. c2audit is a kernel module, which implements event auditing within the Solaris OE. (The name c2 originates from a government-defined security level. In relation to the Solaris OE, c2 is used as another word for audit.)

Two files are added to the /etc/security directory. The mkdevalloc command creates the file device_allocate, while the command mkdevmaps creates the file device_maps. These commands are executed on line 149 and line 153. These created files work with the allocate and deallocate commands. The man pages for allocate and deallocate provide additional detail on how the two commands function.

The allocate executable manages ownership of devices. The security feature of allocate lies in its ability to ensure that each device listed in /etc/security/device_maps is used by only one qualified user at a time. As a result, allocate effectively locks a device and forces it to be owned by one user when the device is used. Therefore, if a device is allocated, no other user can access the locked device until it becomes available. The deallocate executable releases a device that has been allocated.

The device_maps file lists logical device names that pertain to tape, disk, CD-ROM, and audio devices. The device_allocate file sets authorization levels for allocating and deallocating these same devices. These authorization levels are defined in /etc/security/auth_attr. Authorization for individual users can be set within /etc/user_attr.

The man pages for policy.conf, auth_attr, and user_attr provide additional details about user authorization and device allocation.

The mkdevalloc and mkdevmaps source code commands call bsmconv.

About the Author

Paul works in the iPlanet organization of Sun Microsystems providing technical support for all things related to LDAP, Certificate Management Server, and Directory Server Access Management Edition (DSAME). He has worked at Sun for two years. He enjoys teaching physics at Santa Clara University in his spare time. Paul is a California native and lives with his wife near Sun's northern California headquarters.

March 2002