System Administration Guide: Security Services


Numbers and Symbols

	$$ (double dollar sign), parent shell process number ( )

	`[]` (square brackets), `bsmrecord` output ( )

	* (asterisk)
		checking for in RBAC authorizations ( )
		`device_allocate` file ( ) ( )
		wildcard character
			in ASET ( ) ( )
			in RBAC authorizations ( ) ( )

	@ (at sign), `device_allocate` file ( )

	\ (backslash)
		`device_allocate` file ( ) ( )
		`device_maps` file ( )

	`^` (caret) in audit class prefixes ( )

	. (dot)
		authorization name separator ( )
		displaying hidden files ( )
		path variable entry ( )

	= (equal sign), file permissions symbol ( )

	- (minus sign)
		audit class prefix ( )
		file permissions symbol ( )
		file type symbol ( )
		`sulog` file ( )

	+ (plus sign)
		ACL entry ( )
		audit class prefix ( )
		file permissions symbol ( )
		`sulog` file ( )

	# (pound sign)
		`device_allocate` file ( )
		`device_maps` file ( )

	? (question mark), ASET tune files ( )

	; (semicolon)
		`device_allocate` file ( )
		separator of security attributes ( )

	> (redirect output), preventing ( )

	>> (append output), preventing ( )

	`-a` option
		`bsmrecord` command ( )
		`digest` command ( )
		`encrypt` command ( )
		`getfacl` command ( )
		Kerberized commands ( )
		`mac` command ( )
		`smrole` command ( )

	`-b` option, `auditreduce` command ( )

	`-c` option
		`auditreduce` command ( ) ( )
		`bsmrecord` command ( )

	`-d` option
		`auditreduce` command ( )
		`getfacl` command ( )
		`praudit` command ( )
		`setfacl` command ( )

	`-e` option
		`auditreduce` command ( )
		`ppriv` command ( )

	`~/.gkadmin` file, description ( )

	`-h` option, `bsmrecord` command ( )

	`-i` option
		`bart create` command ( ) ( )
		`encrypt` command ( )
		`st_clean` script ( )

	`~/.k5login` file, description ( )

	`-l` option
		`digest` command ( )
		`encrypt` command ( )
		`mac` command ( )
		`praudit` command ( )

	`-m` option
		`cryptoadm` command ( ) ( )
		Kerberized commands ( )

	`-n` option
		`audit` command ( )
		`bart create` command ( )

	`-o` option, `encrypt` command ( )

	`-p` option
		`aset` command ( )
		`bart create` ( )
		`bsmrecord` command ( )
		`cryptoadm` command ( ) ( )
		`logins` command ( )

	`-r` option
		`bart create` ( )
		`passwd` command ( )
		`praudit` command ( )

	`~/.rhosts` file, description ( )

	`-s` option
		`audit` command ( )
		`praudit` command ( )

	`~/.shosts` file, description ( )

	`~/.ssh/authorized_keys` file
		description ( )
		override ( )

	`~/.ssh/config` file
		description ( )
		override ( )

	`~/.ssh/environment` file, description ( )

	`~/.ssh/id_dsa` file, override ( )

	`~/.ssh/id_rsa` file, override ( )

	`~/.ssh/identity` file, override ( )

	`~/.ssh/known_hosts` file
		description ( )
		override ( )

	`~/.ssh/rc` file, description ( )

	`-v` option
		`audit` command ( )
		`digest` command ( )
		`mac` command ( )
		`ppriv` command ( )

	`-x` option
		Kerberized commands ( )
		`praudit` command ( )

	`3des-cbc` encryption algorithm, `ssh_config` file ( )

	`3des` encryption algorithm, `ssh_config` file ( )


A

	`-A` option, `auditreduce` command ( )

	absolute mode
		changing file permissions ( ) ( )
		changing special file permissions ( )
		description ( )
		setting special permissions ( )

	access
		control lists
			See ACL
		getting to server
			with Kerberos ( )
		granting to your account ( ) ( )
		login authentication with Solaris Secure Shell ( )
		obtaining for a specific service ( )
		restricting for
			devices ( ) ( )
			system hardware ( )
		restricting for KDC servers ( )
		`root` access
			displaying attempts on console ( )
			monitoring `su` command attempts ( ) ( )
			preventing login (RBAC) ( )
			restricting ( ) ( )
		Secure RPC authentication ( )
		security
			ACLs ( )
			controlling system usage ( )
			devices ( )
			file access restriction ( )
			firewall setup ( ) ( )
			login access restrictions ( ) ( )
			login authentication ( )
			login control ( )
			monitoring system usage ( ) ( )
			network control ( )
			NFS client-server ( )
			`PATH` variable setting ( )
			peripheral devices ( )
			physical security ( )
			remote systems ( )
			reporting problems ( )
			`root` login tracking ( )
			saving failed logins ( )
			`setuid` programs ( )
			system hardware ( )
			UFS ACLs ( )
		sharing files ( )
		system logins ( )

	access control list
		See ACL

	Access Control Lists (ACLs), See ACL

	ACL
		changing entries ( )
		checking entries ( ) ( )
		commands ( )
		copying ACL entries ( )
		default entries for directories ( ) ( )
		deleting entries ( ) ( )
		description ( ) ( )
		directory entries ( ) ( )
		displaying entries ( ) ( )
		format of entries ( )
		`kadm5.acl` file ( ) ( ) ( )
		modifying entries ( )
		restrictions on copying entries ( )
		setting entries ( )
		setting on a file ( )
		task map ( )
		user procedures ( )
		valid file entries ( )

	`acl` audit token, format ( )

	`add_drv` command, description ( )

	adding
		ACL entries ( )
		administration principals (Kerberos) ( ) ( )
		allocatable device ( )
		attributes to a rights profile ( )
		audit classes ( ) ( )
		audit directories ( )
		audit policy ( )
		auditing of roles ( )
		auditing of zones ( )
		cryptomgt role ( )
		custom roles (RBAC) ( )
		customized role ( )
		DH authentication to mounted file systems ( )
		dial-up passwords ( )
		hardware provider mechanisms and features ( )
		keys for DH authentication ( )
		library plugin ( )
		local user ( )
		new rights profile ( )
		Operator role ( )
		PAM modules ( )
		password encryption module ( )
		plugins to cryptographic framework ( )
		privileges directly to user or role ( )
		privileges to command ( )
		RBAC properties to legacy applications ( )
		rights profiles with Solaris Management Console ( )
		roles
			for particular profiles ( )
			from command line ( )
			to a user ( )
			with limited scope ( )
		security attributes to legacy applications ( )
		security-related role ( )
		security-related roles ( )
		security to devices ( ) ( )
		security to system hardware ( )
		service principal to keytab file (Kerberos) ( )
		software provider ( )
		System Administrator role ( )
		user-level software provider ( )

	`admin_server` section
		`krb5.conf` file ( ) ( )

	administering
		ACLs ( )
		auditing
			audit classes ( ) ( ) ( )
			audit events ( )
			audit files ( )
			audit records ( )
			audit trail overflow prevention ( )
			`auditreduce` command ( )
			cost control ( )
			description ( )
			efficiency ( )
			process preselection mask ( )
			reducing storage-space requirements ( )
			task map ( )
			in zones ( ) ( )
		auditing in zones ( )
		cryptographic framework ( )
		cryptographic framework and zones ( )
		cryptographic framework task map ( )
		device allocation ( )
		device policy ( )
		dial-up logins ( )
		file permissions ( ) ( )
		Kerberos
			keytabs ( )
			policies ( )
			principals ( )
		metaslot ( )
		NFS client-server file security ( )
		password algorithms ( )
		privileges ( )
		properties of a role ( )
		RBAC properties ( )
		remote logins with Solaris Secure Shell ( )
		rights profiles ( )
		role password ( )
		roles ( )
		roles to replace superuser ( )
		Secure RPC task map ( )
		Solaris Secure Shell
			clients ( )
			overview ( )
			servers ( )
			task map ( )
		without privileges ( )

	`administrative (old)` audit class ( )

	`administrative` audit class ( )

	AES kernel provider ( )

	`aes128-cbc` encryption algorithm, `ssh_config` file ( )

	`aes128-ctr` encryption algorithm, `ssh_config` file ( )

	agent daemon, Solaris Secure Shell ( )

	`ahlt` audit policy
		description ( )
		setting ( )

	algorithms
		definition in cryptographic framework ( )
		listing in the cryptographic framework ( )
		password
			configuration ( )
		password encryption ( )

	`all`, in user audit fields ( )

	All (RBAC), rights profile ( )

	`all` audit class
		caution for using ( )
		description ( )

	`allhard` string, `audit_warn` script ( )

	`allocate` command
		allocate error state ( )
		authorizations for ( )
		authorizations required ( )
		description ( )
		tape drive ( )
		user authorization ( )
		using ( )

	allocate error state ( )

	allocating devices
		by users ( )
		forcibly ( )
		task map ( )
		troubleshooting ( )

	`AllowGroups` keyword, `sshd_config` file ( )

	`AllowTcpForwarding` keyword
		changing ( )
		`sshd_config` file ( )

	`AllowUsers` keyword, `sshd_config` file ( )

	`allsoft` string, `audit_warn` script ( )

	`ALTSHELL` in Solaris Secure Shell ( )

	always-audit classes
		`audit_user` database ( )
		process preselection mask ( )

	analysis, `praudit` command ( )

	appending arrow (>>), preventing appending ( )

	`application` audit class ( )

	application server, configuring ( )

	`arbitrary` audit token
		format ( )
		item size field ( )
		print format field ( )

	`arcfour` encryption algorithm, `ssh_config` file ( )

	ARCFOUR kernel provider ( )

	Archive tape drive device-clean script ( )

	archiving, audit files ( )

	`arg` audit token, format ( )

	`arge` audit policy
		and `exec_env` token ( )
		description ( )

	`arge` audit policy, setting ( )

	`argv` audit policy
		and `exec_args` token ( )
		description ( )

	`argv` audit policy, setting ( )

	ASET
		aliases file
			description ( )
			examples ( )
			`UID_ALIASES` variable ( )
		`aset` command
			`-p` option ( )
			interactive version ( )
			starting ( )
		`aset.restore` command ( )
		`ASETDIR` variable ( )
		`asetenv` file ( ) ( )
		`ASETSECLEVEL` variable ( )
		`CKLISTPATH_level` variable ( )
		collecting reports ( )
		configuring ( ) ( )
		description ( ) ( )
		environment file ( )
		environment variables ( )
		error messages ( )
		execution log ( )
		master files ( ) ( ) ( )
		NFS services and ( )
		`PERIODIC_SCHEDULE` variable ( ) ( )
		restoring original system state ( )
		running ASET periodically ( )
		running interactively ( )
		running periodically ( )
		scheduling ASET execution ( ) ( )
		stopping from running periodically ( )
		task map ( )
		`TASKS` variable ( ) ( )
		troubleshooting ( )
		tune file examples ( )
		tune files ( ) ( )
		`uid_aliases` file ( )
		`UID_ALIASES` variable ( ) ( ) ( )
		working directory ( )
		`YPCHECK` variable ( ) ( )

	assigning
		privileges to commands in a rights profile ( )
		privileges to commands in a script ( )
		privileges to user or role ( )
		role to a user ( ) ( )
		role to a user locally ( )

	assuming role
		how to ( ) ( )
		in a terminal window ( )
		in Solaris Management Console ( )
		Primary Administrator ( )
		`root` ( )
		System Administrator ( )

	asterisk (*)
		checking for in RBAC authorizations ( )
		`device_allocate` file ( ) ( )
		wildcard character
			in ASET ( ) ( )
			in RBAC authorizations ( ) ( )

	`at` command, authorizations required ( )

	at sign (@), `device_allocate` file ( )

	`atq` command, authorizations required ( )

	`attribute` audit token ( )

	attributes, keyword in BART ( )

	audio devices, security ( )

	`audit administration` audit class ( )

	audit characteristics
		audit ID ( )
		process preselection mask ( )
		processes ( )
		session ID ( )
		terminal ID ( )
		user process preselection mask ( )

	`audit_class` file
		adding a class ( )
		description ( )
		troubleshooting ( )

	audit class preselection, effect on public objects ( )

	audit classes
		adding ( )
		definitions ( )
		description ( ) ( )
		entries in `audit_control` file ( )
		exceptions in `audit_user` database ( )
		exceptions to system-wide settings ( )
		mapping events ( )
		modifying default ( )
		overview ( )
		prefixes ( )
		preselecting ( )
		preselection ( )
		process preselection mask ( )
		setting system-wide ( )
		syntax ( ) ( )
		system-wide ( )

	`audit` command
		description ( )
		preselection mask for existing processes (`-s` option) ( )
		rereading audit files (`-s` option) ( )
		resetting directory pointer (`-n` option) ( )
		updating audit service ( )
		verifying syntax of `audit_control` file (`-v` option) ( )

	audit configuration file, See `audit_control` file

	`audit_control` file
		audit daemon rereading after editing ( )
		changing kernel mask for nonattributable events ( )
		configuring ( )
		description ( )
		entries ( )
		entries and zones ( )
		examples ( )
		exceptions to `flags` in `audit_user` database ( )
		`flags` line
			process preselection mask ( )
		`minfree` warning ( )
		`plugin` line ( )
		prefixes in `flags` line ( )
		syntax problem ( )
		system-wide audit ( )
		verifying classes ( )
		verifying syntax ( )

	Audit Control rights profile ( )

	audit daemon, See `auditd` daemon

	audit directory
		creating ( )
		description ( )
		partitioning for ( )
		sample structure ( )

	`audit_event` file
		changing class membership ( )
		description ( )
		removing events safely ( )

	audit events
		`audit_event` file ( )
		changing class membership ( )
		description ( )
		mapping to classes ( )
		selecting from audit trail ( )
		selecting from audit trail in zones ( )
		summary ( )
		viewing from binary files ( )

	audit files
		`auditreduce` command ( )
		combining ( ) ( )
		configuring ( )
		copying messages to single file ( )
		limiting size of ( )
		managing ( )
		minimum free space for file systems ( )
		names ( ) ( )
		order for opening ( )
		partitioning disk for ( )
		printing ( )
		reducing ( ) ( )
		reducing storage-space requirements ( ) ( )
		switching to new file ( )
		time stamps ( ) ( )

	audit ID
		mechanism ( )
		overview ( )

	audit logs
		See also audit files
		comparing binary and textual ( )
		configuring textual audit logs ( )
		in text ( )
		modes ( )

	audit messages, copying to single file ( )

	`audit.notice` entry, `syslog.conf` file ( )

	audit plugins, summary ( )

	audit policy
		audit tokens from ( )
		defaults ( )
		description ( )
		effects of ( )
		`public` ( )
		setting ( )
		setting `ahlt` ( )
		setting `arge` ( )
		setting `argv` ( )
		setting in global zone ( ) ( )
		setting `perzone` ( )
		that does not affect tokens ( )
		tokens added by ( )
		updating dynamically ( )

	audit prerequisite, correctly configured `hosts` database ( )

	audit preselection mask
		modifying for existing users ( )
		modifying for individual users ( )

	audit records
		audit directories full ( ) ( )
		converting to readable format ( ) ( ) ( )
		description ( )
		displaying ( )
		displaying formats of
			procedure ( )
			summary ( )
		displaying formats of a program ( )
		displaying formats of an audit class ( )
		displaying in XML format ( )
		events that generate ( )
		format ( )
		formatting example ( )
		merging ( )
		overview ( )
		reducing audit files ( )
		sequence of tokens ( )
		`syslog.conf` file ( )
		`/var/adm/auditlog` file ( )

	Audit Review rights profile ( )

	audit session ID ( )

	`audit_startup` script
		configuring ( )
		description ( )

	audit threshold ( )

	audit tokens
		See also individual audit token names
		added by audit policy ( )
		audit record format ( )
		description ( ) ( )
		format ( )
		list of ( )
		new in current release ( )

	audit trail
		analysis costs ( )
		analysis with `praudit` command ( )
		cleaning up not terminated files ( )
		creating
			`auditd` daemon's role ( )
		description ( )
		effect of audit policy on ( )
		events included ( )
		merging all files ( )
		monitoring in real time ( )
		no public objects ( )
		overview ( )
		preventing overflow ( )
		selecting events from ( )
		viewing events from ( )
		viewing events from different zones ( )

	`audit_user` database
		exception to system-wide audit classes ( )
		prefixes for classes ( )
		process preselection mask ( )
		specifying user exceptions ( )
		user audit fields ( )

	`audit_user` file, verifying classes ( )

	`audit_warn` script
		`auditd` daemon execution of ( )
		conditions invoking ( )
		configuring ( )
		description ( )
		strings ( )

	`auditconfig` command
		audit classes as arguments ( ) ( )
		description ( )
		prefixes for classes ( )
		setting audit policy ( ) ( )

	`auditd` daemon
		audit trail creation ( ) ( )
		`audit_warn` script
			description ( ) ( )
			execution of ( )
		functions ( )
		order audit files are opened ( ) ( )
		plugins loaded by ( )
		rereading information for the kernel ( )
		rereading the `audit_control` file ( ) ( )

	auditing
		all commands by users ( )
		changes in current release ( )
		changes in device policy ( )
		configuring identically for all zones ( )
		configuring in global zone ( ) ( )
		configuring per-zone ( )
		device allocation ( )
		disabling ( )
		enabling ( )
		finding changes to specific files ( )
		`hosts` database prerequisite ( )
		logins ( )
		planning ( )
		planning in zones ( ) ( )
		preselection definition ( )
		privileges and ( )
		rights profiles for ( )
		roles ( )
		`sftp` file transfers ( )
		troubleshooting ( )
		troubleshooting `praudit` command ( )
		updating information ( )
		zones and ( ) ( )

	`auditlog` file, text audit records ( )

	`auditreduce` command ( )
		`-c` option ( )
		`-O` option ( )
		cleaning up audit files ( )
		description ( )
		examples ( )
		filtering options ( )
		merging audit records ( )
		options ( )
		selecting audit records ( )
		timestamp use ( )
		trailer tokens, and ( )
		using lowercase options ( )
		using uppercase options ( )
		without options ( )

	`auth_attr` database
		description ( )
		summary ( )

	`AUTH_DES` authentication, See `AUTH_DH` authentication

	`AUTH_DH` authentication, and NFS ( )

	authentication
		`AUTH_DH` client-server session ( )
		configuring cross-realm ( )
		description ( )
		DH authentication ( )
		disabling with `-X` option ( )
		Kerberos and ( )
		name services ( )
		network security ( )
		NFS-mounted files ( ) ( )
		overview of Kerberos ( )
		Secure RPC ( )
		Solaris Secure Shell
			methods ( )
			process ( )
		terminology ( )
		types ( )
		use with NFS ( )

	authentication methods
		GSS-API credentials in Solaris Secure Shell ( )
		host-based in Solaris Secure Shell ( ) ( )
		keyboard-interactive in Solaris Secure Shell ( )
		password in Solaris Secure Shell ( )
		public keys in Solaris Secure Shell ( )
		Solaris Secure Shell ( )

	authenticator
		in Kerberos ( ) ( )

	`authlog` file, saving failed login attempts ( )

	authorizations
		Kerberos and ( )
		types ( )

	authorizations (RBAC)
		checking for wildcards ( )
		checking in privileged application ( )
		commands that require authorizations ( )
		database ( ) ( )
		definition ( )
		delegating ( )
		description ( ) ( )
		for allocating device ( )
		for device allocation ( )
		granularity ( )
		naming convention ( )
		not requiring for device allocation ( )
		`solaris.device.allocate` ( ) ( )
		`solaris.device.revoke` ( )

	`authorized_keys` file, description ( )

	`AuthorizedKeysFile` keyword, `sshd_config` file ( )

	`auths` command, description ( )

	`AUTHS_GRANTED` keyword, `policy.conf` file ( )

	`auto_transition` option, SASL and ( )

	Automated Security Enhancement Tool, See ASET

	automatic login
		disabling ( )
		enabling ( )

	automatically enabling auditing ( )

	automating principal creation ( )

	`auxprop_login` option, SASL and ( )


B

	backup
		Kerberos database ( )
		slave KDCs ( )

	`Banner` keyword, `sshd_config` file ( )

	BART
		components ( )
		overview ( )
		programmatic output ( )
		security considerations ( )
		task map ( )
		verbose output ( )

	`bart` command ( )

	`bart compare` command ( )

	`bart create` command ( ) ( )

	Basic Audit Reporting Tool, See BART

	basic privilege set ( )

	Basic Security Module (BSM)
		See auditing
		See device allocation

	Basic Solaris User rights profile ( )

	`Batchmode` keyword, `ssh_config` file ( )

	`BindAddress` keyword, `ssh_config` file ( )

	binding control flag, PAM ( )

	`blowfish-cbc` encryption algorithm, `ssh_config` file ( )

	Blowfish encryption algorithm
		kernel provider ( )
		`policy.conf` file ( )
		`ssh_config` file ( )
		using for password ( )

	Bourne shell, privileged version ( )

	`bsmconv` script
		creating `device_maps` file ( )
		description ( )
		enabling audit service ( )

	`bsmrecord` command
		`[]` (square brackets) in output ( )
		description ( )
		displaying audit record formats ( )
		example ( )
		listing all formats ( )
		listing formats of class ( )
		listing formats of program ( )
		optional tokens (`[]`) ( )

	`bsmunconv` script, disabling audit service ( )


C

	`-C` option, `auditreduce` command ( )

	C shell, privileged version ( )

	`c2audit:audit_load` entry, `system` file ( )

	`c2audit` module, verifying is loaded ( )

	cache, credential ( )

	`canon_user_plugin` option, SASL and ( )

	caret (`^`) in audit class prefixes ( )

	CD-ROM drives
		allocating ( )
		security ( )

	`cdrw` command, authorizations required ( )

	certificates
		exporting for use by another system ( )
		generating with `pktool gencert` command ( )
		importing into keystore ( )

	`ChallengeResponseAuthentication` keyword, See `KbdInteractiveAuthentication` keyword

	`changepw` principal ( )

	changing
		ACL entries ( )
		allocatable devices ( )
		`audit_class` file ( )
		`audit_control` file ( )
		`audit_event` file ( )
		default password algorithm ( )
		device policy ( )
		file ownership ( )
		file permissions
			absolute mode ( )
			special ( )
			symbolic mode ( )
		group ownership of file ( )
		NFS secret keys ( )
		passphrase for Solaris Secure Shell ( )
		password algorithm for a domain ( )
		password algorithm task map ( )
		password of role ( )
		properties of role ( )
		rights profile contents ( )
		rights profile from command line ( )
		`root` user into role ( )
		special file permissions ( )
		user properties from command line ( )
		your password with `kpasswd` ( )
		your password with `passwd` ( )

	`CheckHostIP` keyword, `ssh_config` file ( )

	`chgrp` command
		description ( )
		syntax ( )

	`chkey` command ( ) ( )

	`chmod` command
		changing special permissions ( ) ( )
		description ( )
		syntax ( )

	choosing, your password ( )

	`chown` command, description ( )

	`Cipher` keyword, `sshd_config` file ( )

	`Ciphers` keyword, Solaris Secure Shell ( )

	`cklist.rpt` file ( ) ( )

	`CKLISTPATH_level` variable (ASET) ( )

	classes, See audit classes

	cleaning up, binary audit files ( )

	clear protection level ( )

	`ClearAllForwardings` keyword, Solaris Secure Shell port forwarding ( )

	client names, planning for in Kerberos ( )

	`ClientAliveCountMax` keyword, Solaris Secure Shell port forwarding ( )

	`ClientAliveInterval` keyword, Solaris Secure Shell port forwarding ( )

	clients
		`AUTH_DH` client-server session ( )
		configuring for Solaris Secure Shell ( ) ( )
		configuring Kerberos ( )
		definition in Kerberos ( )

	`clntconfig` principal
		creating ( ) ( )

	clock skew
		Kerberos and ( )
		Kerberos planning and ( )

	clock synchronizing
		Kerberos master KDC and ( ) ( )
		Kerberos planning and ( )
		Kerberos slave KDC and ( )
		Kerberos slave server and ( )

	`cmd` audit token ( ) ( )

	`cnt` audit policy, description ( )

	combining audit files
		`auditreduce` command ( ) ( )
		from different zones ( )

	command execution, Solaris Secure Shell ( )

	command-line equivalents of SEAM Administration Tool ( )

	commands
		See also individual commands
		ACL commands ( )
		auditing commands ( )
		cryptographic framework commands ( )
		determining user's privileged commands ( )
		device allocation commands ( )
		device policy commands ( )
		file protection commands ( )
		for administering privileges ( )
		Kerberos ( )
		RBAC administration commands ( )
		Secure RPC commands ( )
		Solaris Secure Shell commands ( )
		that assign privileges ( )
		that check for privileges ( )
		user-level cryptographic commands ( )

	common keys
		calculating ( )
		DH authentication and ( )

	components
		BART ( )
		device allocation mechanism ( )
		RBAC ( )
		Solaris Secure Shell user session ( )

	`Compression` keyword, Solaris Secure Shell ( )

	`CompressionLevel` keyword, `ssh_config` file ( )

	Computer Emergency Response Team/Coordination Center (CERT/CC) ( )

	computer security, See system security

	computing
		DH key ( )
		digest of a file ( )
		MAC of a file ( )
		secret key ( ) ( )

	configuration decisions
		auditing
			file storage ( )
			policy ( )
			who and what to audit ( )
			zones ( )
		Kerberos
			client and service principal names ( )
			clients ( )
			clock synchronization ( )
			database propagation ( )
			encryption types ( )
			KDC server ( )
			mapping host names onto realms ( )
			number of realms ( )
			ports ( )
			realm hierarchy ( )
			realm names ( )
			realms ( )
			slave KDCs ( )
		password algorithm ( )

	configuration files
		ASET ( )
		`audit_class` file ( )
		`audit_control` file ( ) ( ) ( )
		`audit_event` file ( )
		`audit_startup` script ( )
		`audit_user` database ( )
		`device_maps` file ( )
		`nsswitch.conf` file ( )
		for password algorithms ( )
		`policy.conf` file ( ) ( ) ( )
		Solaris Secure Shell ( )
		`syslog.conf` file ( ) ( ) ( )
		`system` file ( )
		with privilege information ( )

	configuring
		`ahlt` audit policy ( )
		ASET ( ) ( )
		`audit_class` file ( )
		`audit_control` file ( )
		`audit_event` file ( )
		audit files ( )
		audit files task map ( )
		audit policy ( )
		audit policy temporarily ( )
		audit service task map ( )
		`audit_startup` script ( )
		audit trail overflow prevention ( )
		`audit_user` database ( )
		`audit_warn` script ( )
		`auditconfig` command ( )
		auditing in zones ( ) ( )
		custom roles ( )
		device allocation ( )
		device policy ( )
		devices task map ( )
		DH key for NIS+ user ( )
		DH key for NIS user ( )
		DH key in NIS ( )
		DH key in NIS+ ( )
		dial-up logins ( )
		hardware security ( )
		host-based authentication for Solaris Secure Shell ( )
		identical auditing for non-global zones ( )
		Kerberos
			adding administration principals ( ) ( )
			clients ( )
			cross-realm authentication ( )
			master KDC server ( )
			master KDC server using LDAP ( )
			NFS servers ( )
			overview ( )
			slave KDC server ( )
			task map ( )
		name service ( )
		password for hardware access ( )
		per-zone auditing ( )
		`perzone` audit policy ( )
		port forwarding in Solaris Secure Shell ( )
		RBAC ( ) ( )
		RBAC task map ( )
		rights profile from command line ( )
		rights profiles ( ) ( )
		roles ( ) ( )
			from command line ( )
		`root` user as role ( )
		Solaris Secure Shell ( )
			clients ( )
			servers ( )
		Solaris Secure Shell task map ( )
		`ssh-agent` daemon ( )
		textual audit logs ( )

	configuring application servers ( )

	`ConnectionAttempts` keyword, `ssh_config` file ( )

	console, displaying `su` command attempts ( )

	`CONSOLE` in Solaris Secure Shell ( )

	consumers, definition in cryptographic framework ( )

	context-sensitive help, SEAM Administration Tool ( )

	control manifests (BART) ( )

	controlling
		access to system hardware ( )
		system access ( )
		system usage ( )

	conversation keys
		decrypting in secure RPC ( )
		generating in secure RPC ( )

	converting
		audit records to readable format ( ) ( )

	copying
		ACL entries ( )
		files using Solaris Secure Shell ( )

	copying audit messages to single file ( )

	cost control, and auditing ( )

	`crammd5.so.1` plug-in, SASL and ( )

	creating
		audit trail
			`auditd` daemon ( )
			`auditd` daemon's role ( )
		credential table ( )
		customized role ( )
		`d_passwd` file ( )
		dial-up passwords ( ) ( )
		`/etc/d_passwd` file ( )
		file digests ( )
		keytab file ( ) ( )
		local user ( )
		new device-clean scripts ( )
		new policy (Kerberos) ( ) ( )
		new principal (Kerberos) ( )
		Operator role ( )
		partitions for binary audit files ( )
		passwords for temporary user ( )
		rights profiles ( )
		rights profiles with Solaris Management Console ( )
		roles
			for particular profiles ( )
			on command line ( )
			with limited scope ( )
		`root` user as role ( )
		secret keys
			for encryption ( ) ( )
		security-related roles ( )
		Solaris Secure Shell keys ( )
		stash file ( ) ( )
		System Administrator role ( )
		tickets with `kinit` ( )

	`cred` database
		adding client credential ( )
		adding user credential ( )
		DH authentication ( )

	`cred` table
		DH authentication and ( )
		information stored by server ( )

	credential
		cache ( )
		description ( ) ( )
		obtaining for a server ( )
		obtaining for a TGS ( )
		or tickets ( )

	credential table, adding single entry to ( )

	credentials, mapping ( )

	`crontab` files
		authorizations required ( )
		running ASET periodically ( )
		stop running ASET periodically ( )

	cross-realm authentication, configuring ( )

	`CRYPT_ALGORITHMS_ALLOW` keyword, `policy.conf` file ( )

	`CRYPT_ALGORITHMS_DEPRECATE` keyword, `policy.conf` file ( )

	`crypt_bsdbf` password algorithm ( )

	`crypt_bsdmd5` password algorithm ( )

	`crypt` command, file security ( )

	`crypt.conf` file
		changing with new password module ( )
		third-party password modules ( )

	`CRYPT_DEFAULT` keyword, `policy.conf` file ( )

	`CRYPT_DEFAULT` system variable ( )

	`crypt_sha256` password algorithm ( )

	`crypt_sunmd5` password algorithm ( ) ( )

	`crypt_unix` password algorithm ( ) ( )

	Crypto Management (RBAC)
		creating role ( )
		use of rights profile ( ) ( )

	`cryptoadm` command
		`-m` option ( ) ( )
		`-p` option ( ) ( )
		description ( )
		disabling cryptographic mechanisms ( ) ( )
		disabling hardware mechanisms ( )
		installing PKCS #11 library ( )
		listing providers ( )
		restoring kernel software provider ( )

	`cryptoadm install` command, installing PKCS #11 library ( )

	cryptographic framework
		administering with role ( )
		connecting providers ( )
		consumers ( )
		`cryptoadm` command ( ) ( )
		definition of terms ( )
		description ( )
		`elfsign` command ( ) ( )
		error messages ( )
		hardware plugins ( )
		installing providers ( )
		interacting with ( )
		listing providers ( ) ( )
		PKCS #11 library ( )
		providers ( ) ( )
		refreshing ( )
		registering providers ( )
		restarting ( )
		signing providers ( )
		task maps ( )
		user-level commands ( )
		zones and ( ) ( )

	cryptographic services, See cryptographic framework

	Cryptoki, See PKCS #11 library

	`csh` command, privileged version ( )

	`.cshrc` file, path variable entry ( )

	Custom Operator (RBAC), creating role ( )

	customizing, manifests ( )

	customizing a report (BART) ( )


D

	`-D` option
		`auditreduce` command ( )
		`ppriv` command ( )

	`d_passwd` file
		creating ( )
		description ( )
		disabling dial-up logins temporarily ( )

	daemons
		`auditd` ( )
		`kcfd` ( )
		`keyserv` ( )
		`nscd` (name service cache daemon) ( ) ( )
		`rpc.nispasswd` ( )
		running with privileges ( )
		`ssh-agent` ( )
		`sshd` ( )
		table of Kerberos ( )
		`vold` ( )

	Data Encryption Standard, See DES encryption

	data forwarding, Solaris Secure Shell ( )

	databases
		`audit_user` ( )
		`auth_attr` ( )
		backing up and propagating KDC ( )
		creating KDC ( )
		`cred` for Secure RPC ( ) ( )
		`exec_attr` ( )
		KDC propagation ( )
		NFS secret keys ( )
		`prof_attr` ( )
		`publickey` for Secure RPC ( )
		RBAC ( )
		`user_attr` ( )
		with privilege information ( )

	`dd` command, generating secret keys ( )

	`deallocate` command
		allocate error state ( ) ( )
		authorizations for ( )
		authorizations required ( )
		description ( )
		device-clean scripts and ( )
		using ( )

	deallocating
		devices ( )
		forcibly ( )
		microphone ( )

	debugging, privileges ( )

	debugging sequence number ( )

	`decrypt` command
		description ( )
		syntax ( )

	decrypting
		conversation keys for Secure RPC ( )
		files ( )
		NFS secret keys ( )
		secret keys ( )

	`default/login` file, description ( )

	`default_realm` section
		`krb5.conf` file ( ) ( )

	`defaultpriv` keyword, `user_attr` database ( )

	defaults
		ACL entries for directories ( ) ( )
		`audit_startup` script ( )
		`praudit` output format ( ) ( )
		privilege settings in `policy.conf` file ( )
		system-wide auditing ( )
		system-wide in `policy.conf` file ( )
		`umask` value ( )

	delegating, RBAC authorizations ( )

	`delete_entry` command, `ktutil` command ( )

	deleting
		ACL entries ( ) ( )
		archived audit files ( )
		audit files ( )
		host's service ( )
		`not_terminated` audit files ( )
		policies (Kerberos) ( )
		principal (Kerberos) ( )
		rights profiles ( )

	`DenyGroups` keyword, `sshd_config` file ( )

	`DenyUsers` keyword, `sshd_config` file ( )

	DES encryption
		kernel provider ( )
		Secure NFS ( )

	destroying, tickets with `kdestroy` ( )

	determining
		`audit_control` flags are correct ( )
		audit ID of a user ( )
		`audit_user` flags are correct ( )
		auditing is running ( )
		`c2audit` module is loaded ( )
		files with `setuid` permissions ( )
		if file has ACL ( )
		privileges on a process ( )
		privileges task map ( )

	`/dev/arp` device, getting IP MIB-II information ( )

	`/dev/urandom` device ( )

	`devfsadm` command, description ( )

	`device_allocate` file
		description ( )
		format ( )
		sample ( ) ( )

	device allocation
		adding devices ( )
		allocatable devices ( ) ( )
		`allocate` command ( )
		allocate error state ( )
		allocating devices ( )
		auditing ( )
		authorizations for commands ( )
		authorizing users to allocate ( )
		changing allocatable devices ( )
		commands ( )
		components of mechanism ( )
		configuration file ( )
		`deallocate` command ( )
			device-clean scripts and ( )
			using ( )
		deallocating devices ( )
		`device_allocate` file ( )
		device-clean scripts
			audio devices ( )
			CD-ROM drives ( )
			description ( )
			diskette drives ( )
			options ( )
			tape drives ( ) ( )
			writing new scripts ( )
		`device_maps` file ( )
		disabling ( )
		enabling ( ) ( )
		examples ( )
		forcibly allocating devices ( )
		forcibly deallocating devices ( )
		making device allocatable ( )
		managing devices ( )
		mounting devices ( )
		not requiring authorization ( )
		preventing ( )
		requiring authorization ( )
		task map ( )
		troubleshooting ( ) ( )
		troubleshooting permissions ( )
		unmounting allocated device ( )
		user procedures ( )
		using ( )
		using `allocate` command ( )
		viewing information ( )

	device-clean scripts
		and object reuse ( )
		audio devices ( )
		CD-ROM drives ( )
		description ( )
		diskette drives ( )
		options ( )
		tape drives ( ) ( ) ( )
		writing new scripts ( )

	device management, See device policy

	`device_maps` file
		description ( )
		format ( )
		sample entries ( )

	device policy
		`add_drv` command ( )
		auditing changes ( )
		changing ( )
		commands ( )
		configuring ( )
		kernel protection ( )
		managing devices ( )
		overview ( ) ( )
		removing from device ( )
		task map ( )
		`update_drv` command ( ) ( )
		viewing ( )

	Device Security (RBAC), creating role ( )

	devices
		adding device policy ( )
		allocating for use ( )
		auditing allocation of ( )
		auditing policy changes ( )
		authorizing users to allocate ( )
		changing device policy ( )
		changing which are allocatable ( )
		deallocating a device ( )
		`/dev/urandom` device ( )
		device allocation
			See device allocation
		forcibly allocating ( )
		forcibly deallocating ( )
		getting IP MIB-II information ( )
		listing ( )
		listing device names ( )
		login access control ( )
		making allocatable ( )
		managing ( )
		managing allocation of ( )
		mounting allocated devices ( )
		not requiring authorization for use ( )
		policy commands ( )
		preventing use of all ( )
		preventing use of some ( )
		privilege model and ( )
		protecting by device allocation ( )
		protecting in the kernel ( )
		removing policy ( )
		security ( )
		superuser model and ( )
		unmounting allocated device ( )
		viewing allocation information ( )
		viewing device policy ( )
		zones and ( )

	`dfstab` file
		security modes ( )
		sharing files ( )

	DH authentication
		configuring in NIS ( )
		configuring in NIS+ ( )
		description ( )
		for NIS+ client ( )
		for NIS client ( )
		mounting files with ( )
		sharing files with ( )

	DHCP Management (RBAC), creating role ( )

	dial-up passwords
		creating ( )
		disabling ( )
		disabling temporarily ( )
		`/etc/d_passwd` file ( )
		security ( )

	`dialups` file, creating ( )

	Diffie-Hellman authentication, See DH authentication

	`digest` command
		description ( )
		example ( )
		syntax ( )

	`digestmd5.so.1` plug-in, SASL and ( )

	digests
		computing for file ( )
		of files ( ) ( )

	`dir` line, `audit_control` file ( )

	direct realms ( )

	directories
		See also files
		ACL entries ( ) ( )
		`audit_control` file definitions ( )
		audit directories full ( ) ( )
		`auditd` daemon pointer ( ) ( )
		checklist task setting (ASET) ( ) ( )
		displaying files and related information ( ) ( )
		master files (ASET) ( )
		mounting audit directories ( )
		permissions
			defaults ( )
			description ( )
		public directories ( )
		reports (ASET) ( )
		working directory (ASET) ( ) ( )

	disabling
		abort sequence ( )
		audit policy ( )
		audit service ( )
		cryptographic mechanisms ( )
		device allocation ( )
		dial-up logins temporarily ( )
		dial-up passwords ( )
		executable stacks ( )
		executables that compromise security ( )
		hardware mechanisms ( )
		keyboard abort ( )
		keyboard shutdown ( )
		logging of executable stack messages ( )
		logins temporarily ( )
		programs from using executable stacks ( )
		remote `root` access ( )
		service on a host (Kerberos) ( )
		system abort sequence ( )
		user logins ( )

	disk partitioning, for binary audit files ( )

	disk-space requirements ( )

	diskette drives
		allocating ( )
		device-clean scripts ( )

	displaying
		ACL entries ( ) ( ) ( )
		allocatable devices ( )
		ASET task status ( ) ( )
		audit policies ( )
		audit record formats ( )
		audit records ( )
		audit records in XML format ( )
		device policy ( )
		file information ( )
		files and related information ( )
		format of audit records ( )
		providers in the cryptographic framework ( )
		roles you can assume ( ) ( )
		`root` access attempts ( )
		selected audit records ( )
		`su` command attempts ( )
		sublist of principals (Kerberos) ( )
		user's login status ( ) ( )
		users with no passwords ( )

	`dminfo` command ( )

	DNS, Kerberos and ( )

	`domain_realm` section
		`krb5.conf` file ( ) ( ) ( )

	dot (`.`)
		authorization name separator ( )
		displaying hidden files ( )
		path variable entry ( )

	double dollar sign ($$), parent shell process number ( )

	`DSAAuthentication` keyword, See `PubkeyAuthentication` keyword

	DTD for `praudit` command ( )

	`.dtprofile` script, use in Solaris Secure Shell ( )

	duplicating, principals (Kerberos) ( )

	`DynamicForward` keyword, `ssh_config` file ( )


E

	`ebusy` string, `audit_warn` script ( )

	`eeprom` command ( ) ( )

	`eeprom.rpt` file ( ) ( )

	effective privilege set ( )

	efficiency, auditing and ( )

	`eject` command, device cleanup and ( )

	`elfsign` command
		description ( ) ( )

	enabling
		audit service ( )
		audit service task map ( )
		auditing ( )
		cryptographic mechanisms ( )
		device allocation ( ) ( )
		Kerberized applications only ( )
		kernel software provider use ( )
		keyboard abort ( )
		mechanisms and features on hardware provider ( )

	`encrypt` command
		description ( )
		error messages ( )
		syntax ( )
		troubleshooting ( )

	encrypting
		communications between hosts ( )
		`encrypt` command ( )
		files ( ) ( ) ( )
		network traffic between hosts ( )
		passwords ( )
		private key of NIS user ( )
		Secure NFS ( )
		using user-level commands ( )

	encryption
		algorithms
			Kerberos and ( )
		DES algorithm ( )
		generating symmetric key
			using the `dd` command ( )
			using the `pktool` command ( )
		installing third-party password modules ( )
		list of password algorithms ( )
		modes
			Kerberos and ( )
		password algorithm ( )
		privacy service ( )
		specifying algorithms in `ssh_config` file ( )
		specifying password algorithm
			locally ( )
		specifying password algorithms in `policy.conf` file ( )
		types
			Kerberos and ( ) ( )
		with `-x` option ( )

	ending, signal received during auditing shutdown ( )

	`env.rpt` file ( ) ( )

	environment variables
		See also variables
		`ASETDIR` (ASET) ( )
		`ASETSECLEVEL` (ASET) ( )
		audit token for ( )
		`CKLISTPATH_level` (ASET) ( ) ( )
		overriding proxy servers and ports ( )
		`PATH` ( )
		`PERIODIC_SCHEDULE` (ASET) ( ) ( )
		presence in audit records ( ) ( )
		Solaris Secure Shell and ( )
		summary (ASET) ( )
		`TASKS` (ASET) ( ) ( )
		`UID_ALIASES` (ASET) ( ) ( ) ( )
		use with `ssh-agent` command ( )
		`YPCHECK` (ASET) ( ) ( )

	equal sign (=), file permissions symbol ( )

	error messages
		`encrypt` command ( )
		Kerberos ( )
		with `kpasswd` ( )

	errors
		allocate error state ( )
		audit directories full ( ) ( )
		internal errors ( )

	`EscapeChar` keyword, `ssh_config` file ( )

	`/etc/d_passwd` file
		and `/etc/passwd` file ( )
		creating ( )
		disabling dial-up logins temporarily ( )

	`/etc/default/kbd` file ( )

	`/etc/default/login` file
		description ( )
		login default settings ( )
		restricting remote `root` access ( )
		Solaris Secure Shell and ( )

	`/etc/default/su` file
		displaying `su` command attempts ( )
		monitoring access attempts ( )
		monitoring `su` command ( )

	`/etc/dfs/dfstab` file
		security modes ( )
		sharing files ( )

	`/etc/dialups` file, creating ( )

	`/etc/group` file, ASET checks ( )

	`/etc/hosts.equiv` file, description ( )

	`/etc/krb5/kadm5.acl` file, description ( )

	`/etc/krb5/kadm5.keytab` file, description ( )

	`/etc/krb5/kdc.conf` file, description ( )

	`/etc/krb5/kpropd.acl` file, description ( )

	`/etc/krb5/krb5.conf` file, description ( )

	`/etc/krb5/krb5.keytab` file, description ( )

	`/etc/krb5/warn.conf` file, description ( )

	`/etc/logindevperm` file ( )

	`/etc/nologin` file
		description ( )
		disabling user logins temporarily ( )

	`/etc/nsswitch.conf` file ( )

	`/etc/pam.conf` file, Kerberos and ( )

	`/etc/passwd` file, ASET checks ( )

	`/etc/publickey` file, DH authentication and ( )

	`/etc/security/audit_event` file, audit events and ( )

	`/etc/security/audit_startup` file ( )

	`/etc/security/audit_warn` script ( )

	`/etc/security/bsmconv` script ( )
		description ( )

	`/etc/security/crypt.conf` file
		changing with new password module ( )
		third-party password modules ( )

	`/etc/security/device_allocate` file ( )

	`/etc/security/device_maps` file ( )

	`/etc/security/policy.conf` file, algorithms configuration ( )

	`/etc/ssh_host_dsa_key.pub` file, description ( )

	`/etc/ssh_host_key.pub` file, description ( )

	`/etc/ssh_host_rsa_key.pub` file, description ( )

	`/etc/ssh/shosts.equiv` file, description ( )

	`/etc/ssh/ssh_config` file
		configuring Solaris Secure Shell ( )
		description ( )
		host-specific parameters ( )
		keywords ( )
		override ( )

	`/etc/ssh/ssh_host_dsa_key` file, description ( )

	`/etc/ssh/ssh_host_key` file
		description ( )
		override ( )

	`/etc/ssh/ssh_host_rsa_key` file, description ( )

	`/etc/ssh/ssh_known_hosts` file
		controlling distribution ( )
		description ( )
		override ( )
		secure distribution ( )

	`/etc/ssh/sshd_config` file
		description ( )
		keywords ( )

	`/etc/ssh/sshrc` file, description ( )

	`/etc/syslog.conf` file
		auditing and ( ) ( )
		executable stack messages and ( )
		failed logins and ( )
		PAM and ( )

	`/etc/system` file ( )

	event, description ( )

	event modifier field flags (`header` token) ( )

	`exec_args` audit token
		`argv` policy and ( )
		format ( )

	`exec_attr` database
		description ( )
		summary ( )

	`exec` audit class ( )

	`exec_env` audit token, format ( )

	executable stacks
		disabling logging messages ( )
		logging messages ( )
		protecting against ( ) ( )

	execute permissions, symbolic mode ( )

	execution log (ASET) ( )

	`exit` audit token, format ( )

	`export` subcommand, `pktool` command ( )

	EXTERNAL security mechanism plug-in, SASL and ( )


F

	`-f` option
		Kerberized commands ( ) ( )
		`setfacl` command ( )
		`st_clean` script ( )

	`-F` option
		`deallocate` command ( )
		Kerberized commands ( ) ( )

	failed login attempts
		`loginlog` file ( )
		`syslog.conf` file ( )

	failure
		audit class prefix ( )
		turning off audit classes for ( )

	`FallBackToRsh` keyword, `ssh_config` file ( )

	`fd_clean` script, description ( )

	`file_attr_acc` audit class ( )

	`file_attr_mod` audit class ( )

	`file` audit token, format ( )

	`file_close` audit class ( )

	`file_creation` audit class ( )

	`file_deletion` audit class ( )

	file permission modes
		absolute mode ( )
		symbolic mode ( )

	`FILE` privileges ( )

	`file_read audit` class ( )

	file systems
		NFS ( )
		security
			authentication and NFS ( )
			TMPFS file system ( )
		sharing files ( )
		TMPFS ( )

	file transfers, auditing ( )

	file `vnode` audit token ( )

	`file_write` audit class ( )

	files
		ACL entries
			adding or modifying ( )
			checking ( )
			deleting ( ) ( )
			displaying ( ) ( )
			setting ( )
			valid entries ( )
		ASET checks ( ) ( )
		auditing modifications to ( )
		BART manifests ( )
		changing ACL ( )
		changing group ownership ( )
		changing ownership ( ) ( )
		changing special file permissions ( )
		computing a digest ( )
		computing digests of ( ) ( )
		computing MAC of ( )
		copying ACL entries ( )
		copying with Solaris Secure Shell ( )
		decrypting ( )
		deleting ACL ( )
		determining if has ACL ( )
		digest of ( )
		displaying ACL entries ( )
		displaying file information ( )
		displaying hidden files ( )
		displaying information about ( )
		encrypting ( ) ( )
		file types ( )
		finding files with `setuid` permissions ( )
		for administering Solaris Secure Shell ( )
		hashing ( )
		`kdc.conf` ( )
		Kerberos ( )
		manifests (BART) ( )
		mounting with DH authentication ( )
		ownership
			and `setgid` permission ( )
			and `setuid` permission ( )
		permissions
			absolute mode ( ) ( )
			changing ( ) ( ) ( )
			defaults ( )
			description ( )
			`setgid` ( )
			`setuid` ( )
			sticky bit ( )
			symbolic mode ( ) ( ) ( ) ( )
			`umask` value ( )
		PKCS #12 ( )
		privileges relating to ( )
		protecting with ACLs ( )
		protecting with UNIX permissions ( )
		public objects ( )
		security
			access restriction ( ) ( )
			ACL ( )
			changing ownership ( )
			changing permissions ( ) ( )
			directory permissions ( )
			displaying file information ( ) ( )
			encryption ( ) ( )
			file permissions ( )
			file types ( )
			special file permissions ( )
			`umask` default ( )
			UNIX permissions ( )
			user classes ( )
		setting ACL ( )
		sharing with DH authentication ( )
		special files ( )
		symbols of file type ( )
		`syslog.conf` file ( )
		verifying integrity with `digest` ( )
		with privilege information ( )

	`find` command, finding files with `setuid` permissions ( )

	`firewall.rpt` file ( ) ( )

	firewall systems
		ASET setup ( )
		connecting from outside ( )
		outside connections with Solaris Secure Shell
			from command line ( )
			from configuration file ( )
		packet smashing ( )
		packet transfers ( )
		secure host connections ( )
		security ( )
		trusted hosts ( )

	`flags` line
		`audit_control` file ( )
		process preselection mask ( )

	forced cleanup, `st_clean` script ( )

	format of audit records, `bsmrecord` command ( )

	forwardable tickets
		definition ( )
		description ( )
		example ( )
		with `-F` option ( ) ( )
		with `-f` option ( ) ( )

	`ForwardAgent` keyword, Solaris Secure Shell forwarded authentication ( )

	`ForwardX11` keyword, Solaris Secure Shell port forwarding ( )

	FQDN (Fully Qualified Domain Name), in Kerberos ( )

	`ftp` command
		Kerberos and ( ) ( )
		logging file transfers ( )
		setting protection level in ( )

	`ftpd` daemon, Kerberos and ( )


G

	`GatewayPorts` keyword, Solaris Secure Shell ( )

	gateways, See firewall systems

	`gencert` subcommand, `pktool` command ( )

	generating
		certificates with `pktool` command ( )
		keys for Solaris Secure Shell ( )
		NFS secret keys ( )
		passphrases with `pktool` command ( )
		random number
			using the `dd` command ( )
			using the `pktool` command ( )
		Solaris Secure Shell keys ( )
		symmetric key
			using the `dd` command ( )
			using the `pktool` command ( )

	Generic Security Service API, See GSS-API

	`getdevpolicy` command, description ( )

	`getfacl` command
		`-a` option ( )
		`-d` option ( )
		description ( )
		displaying ACL entries ( )
		examples ( )
		verifying ACL entries ( )

	getting
		access to a specific service ( )
		credential for a server ( )
		credential for a TGS ( )

	`gkadmin` command
		See also SEAM Administration Tool
		description ( )

	`.gkadmin` file
		description ( )
		SEAM Administration Tool and ( )

	`GlobalKnownHostsFile` keyword, `ssh_config` file ( )

	`GlobalKnownHostsFile2` keyword, See `GlobalKnownHostsFile` keyword

	granting access to your account ( ) ( )

	group ACL entries
		default entries for directories ( )
		description ( )
		setting ( )

	`group` audit policy
		and `groups` token ( ) ( )
		description ( )

	`group` audit token, replaced by `groups` token ( )

	group ID numbers (GIDs), special logins and ( )

	groups, changing file ownership ( )

	`groups` audit token ( )

	GSS-API
		authentication in Solaris Secure Shell ( )
		credentials in secure RPC ( )
		credentials in Solaris Secure Shell ( )
		Kerberos and ( ) ( )

	`gssapi.so.1` plug-in, SASL and ( )

	`GSSAPIAuthentication` keyword, Solaris Secure Shell ( )

	`GSSAPIDelegateCredentials` keyword, Solaris Secure Shell ( )

	`GSSAPIKeyExchange` keyword, Solaris Secure Shell ( )

	`GSSAPIStoreDelegatedCredentials` keyword, `ssh_config` file ( )

	`gsscred` command, description ( )

	`gsscred` table, using ( )

	`gssd` daemon, Kerberos and ( )


H

	hard disk, space requirements for auditing ( )

	hard string, `audit_warn` script ( )

	hardware
		listing attached hardware accelerators ( )
		protecting ( ) ( )
		requiring password for access ( )

	hardware providers
		disabling cryptographic mechanisms ( )
		enabling mechanisms and features on ( )
		listing ( )
		loading ( )

	hash
		algorithms
			Kerberos and ( )

	hashing, files ( )

	`header` audit token
		event-modifier field flags ( )
		format ( )
		order in audit record ( )

	help
		SEAM Administration Tool ( ) ( )
		URL for online ( )

	Help Contents, SEAM Administration Tool ( )

	hierarchical realms
		configuring ( )
		in Kerberos ( ) ( )

	high ASET security level ( )

	`hmac-md5` algorithm, `ssh_config` file ( )

	`hmac-sha1` encryption algorithm, `ssh_config` file ( )

	host-based authentication
		configuring in Solaris Secure Shell ( )
		description ( )

	`Host` keyword
		`ssh_config` file ( ) ( )

	host names
		audit prerequisite ( )
		mapping onto realms ( )

	`host` principal
		creating ( ) ( )

	`HostbasedAuthentication` keyword, Solaris Secure Shell ( )

	`HostbasedUsesNamesFromPacketOnly` keyword, `sshd_config` file ( )

	`HostKey` keyword, `sshd_config` file ( )

	`HostKeyAlgorithms` keyword, `ssh_config` file ( )

	`HostKeyAlias` keyword, `ssh_config` file ( )

	hosts
		audit prerequisite ( )
		disabling Kerberos service on ( )
		Solaris Secure Shell hosts ( )
		trusted hosts ( )

	`hosts.equiv` file, description ( )


I

	`-I` option
		`bart create` command ( )
		`st_clean` script ( )

	identity files (Solaris Secure Shell), naming conventions ( )

	`IdentityFile` keyword, `ssh_config` file ( )

	IDs
		audit
			mechanism ( )
			overview ( )
		audit session ( )
		mapping UNIX to Kerberos principals ( )

	`IgnoreRhosts` keyword, `sshd_config` file ( )

	`IgnoreUserKnownHosts` keyword, `sshd_config` file ( )

	`import` subcommand, `pktool` command ( )

	`in.ftpd` daemon, Kerberos and ( )

	`in.rlogind` daemon, Kerberos and ( )

	`in.rshd` daemon, Kerberos and ( )

	`in.telnetd` daemon, Kerberos and ( )

	include control flag, PAM ( )

	inheritable privilege set ( )

	initial ticket, definition ( )

	`install` subcommand, `cryptoadm` command ( )

	installing
		password encryption module ( )
		providers in cryptographic framework ( )
		Secure by Default ( )

	instance, in principal names ( )

	integrity
		Kerberos and ( )
		security service ( )

	interactively running ASET ( )

	INTERNAL plug-in, SASL and ( )

	Internet firewall setup ( )

	Internet-related tokens
		`ip_addr` token ( )
		`ip` token ( )
		`iport` token ( )
		`socket` token ( )

	invalid ticket, definition ( )

	`ioctl()` system calls ( )
		`AUDIO_SETINFO()` ( )

	`ioctl` audit class ( )

	`ip_addr` audit token, format ( )

	IP addresses, Solaris Secure Shell checking ( )

	`ip` audit token, format ( )

	IP MIB-II, getting information from `/dev/arp` ( )

	`ipc` audit class ( )

	`ipc` audit token ( )
		format ( )

	`ipc_perm` audit token, format ( )

	`IPC` privileges ( )

	ipc type field values (`ipc` token) ( )

	`iport` audit token, format ( )

	item size field, `arbitrary` token ( )


J

	JASS toolkit, pointer to ( )


K

	`-k` option
		`encrypt` command ( )
		Kerberized commands ( )
		`mac` command ( )

	`-K` option
		Kerberized commands ( )
		`usermod` command ( )

	`.k5.`REALM file, description ( )

	`.k5login` file
		description ( ) ( )
		rather than revealing password ( )

	`kadm5.acl` file
		description ( )
		format of entries ( )
		master KDC entry ( ) ( ) ( )
		new principals and ( ) ( )

	`kadm5.keytab` file
		description ( ) ( )

	`kadmin` command
		creating `host` principal ( ) ( )
		description ( )
		`ktadd` command ( )
		`ktremove` command ( )
		removing principals from keytab with ( )
		SEAM Administration Tool and ( )

	`kadmin.local` command
		adding administration principals ( ) ( )
		automating creation of principals ( )
		creating keytab file ( ) ( )
		description ( )

	`kadmin.log` file, description ( )

	`kadmind` daemon
		Kerberos and ( )
		master KDC and ( )

	`kadmind` principal ( )

	`kbd` file ( )

	`KbdInteractiveAuthentication` keyword, Solaris Secure Shell ( )

	`kcfd` daemon ( )

	`kclient` command, description ( )

	`kdb5_ldap_util` command, description ( )

	`kdb5_util` command
		creating KDC database ( )
		creating stash file ( ) ( )
		description ( )

	KDC
		backing up and propagating ( )
		configuring master
			manual ( )
			with LDAP ( )
		configuring slave
			manual ( )
		copying administration files from slave to master ( ) ( )
		creating database ( )
		creating `host` principal ( ) ( )
		database propagation ( )
		master
			definition ( )
		planning ( )
		ports ( )
		restricting access to servers ( )
		slave ( )
			definition ( )
		slave or master ( ) ( )
		starting daemon ( ) ( )
		swapping master and slave ( )
		synchronizing clocks
			master KDC ( ) ( )
			slave KDC ( ) ( )

	`kdc.conf` file
		description ( )
		ticket lifetime and ( )

	`kdc.log` file, description ( )

	`kdestroy` command
		example ( )
		Kerberos and ( )

	`KeepAlive` keyword, Solaris Secure Shell ( )

	Kerberos
		administering ( )
		Administration Tool
			See SEAM Administration Tool
		commands ( ) ( )
		components of ( )
		configuration decisions ( )
		configuring KDC servers ( )
		daemons ( )
		`dfstab` file option ( )
		enabling Kerberized applications only ( )
		encryption types
			overview ( )
			using ( )
		error messages ( )
		examples of using Kerberized commands ( )
		files ( )
		gaining access to server ( )
		granting access to your account ( )
		Kerberos V5 protocol ( )
		online help ( )
		options to Kerberized commands ( )
		overview
			authentication system ( ) ( )
			Kerberized commands ( )
		password management ( )
		planning for ( )
		realms
			See realms (Kerberos)
		reference ( )
		remote applications ( )
		table of network command options ( )
		terminology ( ) ( )
		troubleshooting ( )
		using ( )

	Kerberos authentication
		and Secure RPC ( )
		`dfstab` file option ( )

	Kerberos commands ( )
		enabling only Kerberized ( )
		examples ( )

	`kern.notice` entry, `syslog.conf` file ( )

	kernel providers, listing ( )

	Key Distribution Center, See KDC

	key management framework (KMF), See KMF

	`KEYBOARD_ABORT` system variable ( )

	`keylogin` command
		use for Secure RPC ( )
		verifying DH authentication setup ( )

	`KeyRegenerationInterval` keyword, `sshd_config` file ( )

	keys
		creating DH key for NIS user ( )
		creating for Solaris Secure Shell ( )
		definition in Kerberos ( )
		generating for Solaris Secure Shell ( )
		generating symmetric key
			using the `dd` command ( )
			using the `pktool` command ( )
		service key ( )
		session keys
			Kerberos authentication and ( )
		using for MAC ( )

	`keyserv` daemon ( )

	keyserver
		description ( )
		starting ( )

	keystores
		exporting certificates ( )
		importing certificates ( )
		listing contents ( )
		managed by KMF ( )
		protecting with password in KMF ( )
		supported by KMF ( ) ( )

	keytab file
		adding master KDC's host principal to ( ) ( )
		adding service principal to ( ) ( )
		administering ( )
		administering with `ktutil` command ( )
		creating ( ) ( )
		disabling a host's service with `delete_entry` command ( )
		read into keytab buffer with `read_kt` command ( ) ( )
		removing principals with `ktremove` command ( )
		removing service principal from ( )
		viewing contents with `ktutil` command ( ) ( )
		viewing keylist buffer with `list` command ( ) ( )

	`keytab` option, SASL and ( )

	keywords
		See also specific keyword
		attribute in BART ( )
		command-line overrides in Solaris Secure Shell ( )
		Solaris Secure Shell ( )

	`kgcmgr` command, description ( )

	`kinit` command
		`-F` option ( )
		example ( )
		Kerberos and ( )
		ticket lifetime ( )

	`klist` command
		`-f` option ( )
		example ( )
		Kerberos and ( )

	KMF
		creating
			passphrases for keystores ( )
			password for keystore ( )
			self-signed certificate ( )
		exporting certificates ( )
		importing certificates into keystore ( )
		keystores ( ) ( )
		library ( )
		managing
			keystores ( )
			PKI policy ( )
			public key technologies (PKI) ( )
		utilities ( )

	`kmfcfg` command ( )

	`known_hosts` file
		controlling distribution ( )
		description ( )

	Korn shell, privileged version ( )

	`kpasswd` command
		error message ( )
		example ( )
		Kerberos and ( )
		`passwd` command and ( )

	`kprop` command, description ( )

	`kpropd.acl` file, description ( )

	`kpropd` daemon, Kerberos and ( )

	`kproplog` command, description ( )

	`krb5.conf` file
		description ( )
		`domain_realm` section ( )
		editing ( ) ( )
		ports definition ( )

	`krb5.keytab` file, description ( )

	`krb5cc_`uid file, description ( )

	`krb5kdc` daemon
		Kerberos and ( )
		master KDC and ( )
		starting ( ) ( )

	`ksh` command, privileged version ( )

	`ktadd` command
		adding service principal ( ) ( )
		syntax ( )

	`ktkt_warnd` daemon, Kerberos and ( )

	`ktremove` command ( )

	`ktutil` command
		administering keytab file ( )
		`delete_entry` command ( )
		Kerberos and ( )
		`list` command ( ) ( )
		`read_kt` command ( ) ( )
		viewing list of principals ( ) ( )


L

	`-L` option, `ssh` command ( )

	LDAP, configuring master KDC using ( )

	LDAP name service
		passwords ( )
		specifying password algorithm ( )

	least privilege, principle of ( )

	libraries, user-level providers ( )

	lifetime of ticket, in Kerberos ( )

	limit privilege set ( )

	limiting
		audit file size ( )
		use of privileges by user or role ( )

	`limitpriv` keyword, `user_attr` database ( )

	`list` command ( ) ( )

	`list_devices` command
		authorizations for ( )
		authorizations required ( )
		description ( )

	list privilege, SEAM Administration Tool and ( )

	`list` subcommand, `pktool` command ( )

	`ListenAddress` keyword, `sshd_config` file ( )

	listing
		available providers in cryptographic framework ( )
		contents of keystore ( )
		cryptographic framework providers ( )
		device policy ( )
		hardware providers ( )
		providers in the cryptographic framework ( )
		roles you can assume ( ) ( )
		users with no passwords ( )

	`LocalForward` keyword, `ssh_config` file ( )

	log files
		audit records ( ) ( )
		BART
			programmatic output ( )
			verbose output ( )
		configuring for audit service ( )
		examining audit records ( )
		execution log (ASET) ( )
		failed login attempts ( )
		monitoring `su` command ( )
		space for audit records ( )
		`syslog` audit records ( )
		`/var/adm/messages` ( )
		`/var/log/syslog` ( )

	`log_level` option, SASL and ( )

	`logadm` command, archiving textual audit files ( )

	logging, `ftp` file transfers ( )

	logging in
		and `AUTH_DH` ( )
		auditing logins ( )
		disabling temporarily ( )
		displaying user's login status ( ) ( )
		log of failed logins ( )
		monitoring failures ( )
		`root` login
			account ( )
			restricting to console ( )
			tracking ( )
		security
			access control on devices ( )
			access restrictions ( ) ( )
			saving failed attempts ( )
			system access control ( )
			tracking `root` login ( )
		system logins ( )
		task map ( )
		users' basic privilege set ( )
		with Solaris Secure Shell ( )

	`login` environment variables, Solaris Secure Shell and ( )

	`login` file
		login default settings ( )

	`.login` file, path variable entry ( )

	`login` file
		restricting remote `root` access ( )

	`login_logout` audit class ( )

	`LoginGraceTime` keyword, `sshd_config` file ( )

	`loginlog` file, saving failed login attempts ( )

	`logins` command
		displaying user's login status ( ) ( )
		displaying users with no passwords ( )
		syntax ( )

	`LogLevel` keyword, Solaris Secure Shell ( )

	`LookupClientHostname` keyword, `sshd_config` file ( )

	low ASET security level ( )


M

	`-M` option, `auditreduce` command ( )

	`mac` command
		description ( )
		syntax ( )

	machine security, See system security

	`MACS` keyword, Solaris Secure Shell ( )

	mail, using with Solaris Secure Shell ( )

	`makedbm` command, description ( )

	managing
		See also administering
		audit files ( ) ( )
		audit records task map ( )
		audit trail overflow ( )
		auditing ( )
		auditing in zones ( ) ( )
		device allocation task map ( )
		devices ( )
		file permissions ( )
		keystores with KMF ( )
		passwords with Kerberos ( )
		privileges task map ( )
		RBAC task map ( )

	manifests
		See also `bart create`
		control ( )
		customizing ( )
		file format ( )
		test ( )

	manually configuring
		Kerberos
			master KDC server ( )
			master KDC server using LDAP ( )
			slave KDC server ( )

	mapping
		host names onto realms (Kerberos) ( )
		UIDs to Kerberos principals ( )

	mapping GSS credentials ( )

	mappings, events to classes (auditing) ( )

	mask (auditing)
		description of process preselection ( )
		system-wide process preselection ( )

	mask ACL entries
		default entries for directories ( )
		description ( )
		setting ( )

	master files (ASET) ( ) ( ) ( )

	master KDC
		configuring with LDAP ( )
		definition ( )
		manually configuring ( )
		slave KDCs and ( ) ( )
		swapping with slave KDC ( )

	`max_life` value, description ( )

	`max_renewable_life` value, description ( )

	`MaxAuthTries` keyword, `sshd_config` file ( )

	`MaxAuthTriesLog` keyword, `sshd_config` file ( )

	`MaxStartups` keyword, `sshd_config` file ( )

	MD5 encryption algorithm
		kernel provider ( )
		`policy.conf` file ( )

	`mech_dh` mechanism
		GSS-API credentials ( )
		secure RPC ( )

	`mech_krb` mechanism, GSS-API credentials ( )

	`mech_list` option, SASL and ( )

	mechanism, definition in cryptographic framework ( )

	mechanisms
		disabling all on hardware provider ( )
		enabling some on hardware provider ( )

	medium ASET security level ( )

	merging, binary audit records ( )

	message authentication code (MAC), computing for file ( )

	`messages` file, executable stack messages ( )

	metaslot
		administering ( )
		definition in cryptographic framework ( )

	microphone
		allocating ( )
		deallocating ( )

	`minfree` line
		`audit_control` file ( )
		`audit_warn` condition ( )

	minus sign (-)
		audit class prefix ( )
		entry in `sulog` file ( )
		file permissions symbol ( )
		symbol of file type ( )

	mode, definition in cryptographic framework ( )

	modifying
		policies (Kerberos) ( )
		principal's password (Kerberos) ( )
		principals (Kerberos) ( )
		role assignment to a user ( )
		roles (RBAC) ( )
		users (RBAC) ( )

	modules, password encryption ( )

	monitoring
		audit trail in real time ( )
		failed logins ( )
		`su` command attempts ( ) ( )
		superuser access attempts ( )
		superuser task map ( )
		system usage ( ) ( )
		use of privileged commands ( )

	`mount` command, with security attributes ( )

	mounting
		allocated CD-ROM ( )
		allocated devices ( )
		allocated diskette ( )
		audit directories ( )
		files with DH authentication ( )

	`mt` command, tape device cleanup and ( )


N

	n2cp driver
		hardware plugin to cryptographic framework ( )
		listing mechanisms ( )

	`naflags` line, `audit_control` file ( )

	name services
		See also individual name services
		scope and RBAC ( )

	names
		audit classes ( )
		audit files ( )
		device names
			`device_maps` file ( ) ( )

	naming conventions
		audit directories ( ) ( )
		audit files ( )
		devices ( )
		RBAC authorizations ( )
		Solaris Secure Shell identity files ( )

	ncp driver
		hardware plugin to cryptographic framework ( )
		listing mechanisms ( )

	`NET` privileges ( )

	`netservices limited` installation option ( )

	network, privileges relating to ( )

	`network` audit class ( )

	network security
		authentication ( )
		authorizations ( )
		controlling access ( )
		firewall systems
			need for ( )
			packet smashing ( )
			trusted hosts ( )
		overview ( )
		reporting problems ( )

	Network Security (RBAC), creating role ( )

	Network Time Protocol, See NTP

	never-audit classes, `audit_user` database ( )

	new features
		auditing enhancements ( )
		BART ( )
		commands
			`bart compare` ( )
			`bart create` ( )
			`cryptoadm` ( )
			`decrypt` ( )
			`digest` ( )
			`encrypt` ( )
			`getdevpolicy` ( )
			`kcfd` ( )
			`kclient` ( )
			`kpropd` ( )
			`mac` ( )
			`ppriv` ( )
			`praudit -x` ( )
			`ssh-keyscan` ( )
			`ssh-keysign` ( )
		cryptographic framework ( )
		device policy ( )
		Kerberos enhancements ( )
		metaslot ( )
		PAM enhancements ( )
		privileges ( )
		process rights management ( )
		SASL ( )
		Solaris Cryptographic Framework ( )
		Solaris Secure Shell enhancements ( )
		strong password encryption ( )
		system security enhancements ( )

	`newkey` command
		creating key for NIS user ( )
		generating keys ( )

	NFS file systems
		ASET and ( )
		authentication ( )
		providing client-server security ( )
		secure access with `AUTH_DH` ( )

	NFS servers, configuring for Kerberos ( )

	NIS+ name service
		adding authenticated user ( )
		ASET checks ( )
		authentication ( )
		`cred` database ( )
		`cred` table ( )
		passwords ( )
		specifying password algorithm ( )

	NIS name service
		authentication ( )
		passwords ( )
		specifying password algorithm ( )

	`nisaddcred` command
		adding client credential ( )
		generating keys ( )

	`no_class` audit class ( )

	`nobody` user ( )

	`noexec_user_stack_log` variable ( ) ( )

	`noexec_user_stack` variable ( ) ( )

	`NoHostAuthenticationForLocalHost` keyword, `ssh_config` file ( )

	`nologin` file, description ( )

	`non_attrib` audit class ( )

	nonattributable classes ( )

	nonhierarchical realms, in Kerberos ( )

	`nscd` (name service cache daemon)
		starting with `svcadm` command ( )
		use ( )

	NSS, managing keystore ( )

	`nsswitch.conf` file, login access restrictions ( )

	NTP
		Kerberos planning and ( )
		master KDC and ( ) ( )
		slave KDC and ( ) ( )

	`null` audit class ( )

	`NumberOfPasswordPrompts` keyword, `ssh_config` file ( )


O

	`-O` option, `auditreduce` command ( )

	object reuse requirements
		device-clean scripts
			tape drives ( )
			writing new scripts ( )
		for devices ( )

	obtaining
		access to a specific service ( )
		credential for a server ( )
		credential for a TGS ( )
		forwardable tickets ( )
		privileged commands ( )
		privileges ( ) ( ) ( )
		privileges on a process ( )
		tickets with `kinit` ( )

	online help
		SEAM Administration Tool ( )
		URL for ( )

	`opaque` audit token, format ( )

	OpenSSH, See Solaris Secure Shell

	OpenSSL, managing keystore ( )

	Operator (RBAC)
		contents of rights profile ( )
		creating role ( )
		recommended role ( )

	optional control flag, PAM ( )

	options to Kerberized commands ( )

	other ACL entries, description ( )

	`other` audit class ( )

	overflow prevention, audit trail ( )

	`ovsec_adm.`xxxxx file, description ( )

	ownership of files
		ACLs and ( )
		changing ( ) ( )
		changing group ownership ( )
		UFS ACLs and ( )


P

	`p_minfree` attribute, `audit_warn` condition ( )

	packages, Solaris Secure Shell ( )

	packet transfers
		firewall security ( )
		packet smashing ( )

	PAM
		adding a module ( )
		configuration file
			control flags ( )
			introduction ( )
			stacking diagrams ( )
			stacking example ( )
			stacking explained ( )
			syntax ( )
		`/etc/syslog.conf` file ( )
		framework ( )
		Kerberos and ( ) ( )
		overview ( )
		planning ( )
		task map ( )

	`pam.conf` file
		See PAM configuration file
		Kerberos and ( )

	`pam_roles` command, description ( )

	`PAMAuthenticationViaKBDInt` keyword, `sshd_config` file ( )

	panels, table of SEAM Administration Tool ( )

	passphrases
		changing for Solaris Secure Shell ( )
		`encrypt` command ( )
		example ( )
		generating in KMF ( )
		`mac` command ( )
		storing safely ( )
		using for MAC ( )
		using in Solaris Secure Shell ( ) ( )

	`PASSREQ` in Solaris Secure Shell ( )

	`passwd` command
		and `kpasswd` command ( )
		and name services ( )
		changing password of role ( )

	`passwd` file
		and `/etc/d_passwd` file ( )
		ASET checks ( )

	password authentication, Solaris Secure Shell ( )

	`PasswordAuthentication` keyword, Solaris Secure Shell ( )

	passwords
		authentication in Solaris Secure Shell ( )
		changing role password ( )
		changing with `kpasswd` command ( )
		changing with `passwd -r` command ( )
		changing with `passwd` command ( )
		creating for dial-up ( )
		dial-up passwords
			disabling temporarily ( )
			`/etc/d_passwd` file ( )
		disabling dial-up temporarily ( )
		displaying users with no passwords ( )
		eliminating in Solaris Secure Shell ( )
		eliminating in Solaris Secure Shell in CDE ( )
		encryption algorithms ( )
		finding users with no passwords ( )
		granting access without revealing ( )
		hardware access and ( )
		installing third-party encryption module ( )
		LDAP ( )
			specifying new password algorithm ( )
		local ( )
		login security ( ) ( ) ( )
		managing ( )
		modifying a principal's password ( )
		NIS ( )
			specifying new password algorithm ( )
		NIS+ ( )
			specifying new password algorithm ( )
		policies and ( )
		PROM security mode ( ) ( )
		protecting
			keystore ( )
			PKCS #12 file ( )
		requiring for hardware access ( )
		secret-key decryption for Secure RPC ( )
		specifying algorithm ( )
			in name services ( )
			locally ( )
		suggestions on choosing ( )
		system logins ( ) ( )
		task map ( )
		UNIX and Kerberos ( )
		using Blowfish encryption algorithm for ( )
		using MD5 encryption algorithm for ( )
		using new algorithm ( )

	`path_attr` audit token ( ) ( )

	`path` audit policy, description ( )

	`path` audit token, format ( )

	`PATH` environment variable
		and security ( )
		setting ( )

	`PATH` in Solaris Secure Shell ( )

	`PERIODIC_SCHEDULE` variable (ASET) ( ) ( )

	permissions
		ACLs and ( )
		ASET handling of ( ) ( )
		changing file permissions
			absolute mode ( ) ( )
			`chmod` command ( )
			symbolic mode ( ) ( ) ( ) ( )
		defaults ( )
		directory permissions ( )
		file permissions
			absolute mode ( ) ( )
			changing ( ) ( )
			description ( )
			special permissions ( ) ( )
			symbolic mode ( ) ( ) ( ) ( )
		finding files with `setuid` permissions ( )
		`setgid` permissions
			absolute mode ( ) ( )
			description ( )
			symbolic mode ( )
		`setuid` permissions
			absolute mode ( ) ( )
			description ( )
			security risks ( )
			symbolic mode ( )
		special file permissions ( ) ( ) ( )
		sticky bit ( )
		tune files (ASET) ( ) ( ) ( )
		UFS ACLs and ( )
		`umask` value ( )
		user classes and ( )

	`PermitEmptyPasswords` keyword, `sshd_config` file ( )

	`PermitRootLogin` keyword, `sshd_config` file ( )

	permitted privilege set ( )

	`PermitUserEnvironment` keyword, `sshd_config` file ( )

	`perzone` audit policy
		description ( )
		setting ( )
		using ( ) ( ) ( )
		when to use ( )

	`pfcsh` command, description ( )

	`pfexec` command, description ( )

	`pfksh` command, description ( )

	`pfsh` command, description ( )

	physical security, description ( )

	PKCS #11 library
		adding provider library ( )
		in Solaris Cryptographic Framework ( )

	PKCS #11 softtokens, managing keystore ( )

	PKCS #12 files, protecting ( )

	`pkcs11_kernel.so` user-level provider ( )

	`pkcs11_softtoken.so` user-level provider ( )

	`pkgadd` command
		installing third-party providers ( )
		installing third-party software ( )

	PKI
		managed by KMF ( )
		policy managed by KMF ( )

	`pktool` command
		creating self-signed certificate ( )
		`export` subcommand ( )
		`gencert` subcommand ( )
		generating secret keys ( )
		`import` subcommand ( )
		`list` subcommand ( )
		managing PKI objects ( )
		`setpin` subcommand ( )

	`plain.so.1` plug-in, SASL and ( )

	planning
		auditing ( )
		auditing in zones ( )
		auditing task map ( )
		Kerberos
			client and service principal names ( )
			clock synchronization ( )
			configuration decisions ( )
			database propagation ( )
			number of realms ( )
			ports ( )
			realm hierarchy ( )
			realm names ( )
			realms ( )
			slave KDCs ( )
		PAM ( )
		RBAC ( )

	pluggable authentication module, See PAM

	`plugin` line
		`audit_control` file ( )
		`p_*` attributes ( )
		`qsize` attribute ( )

	`plugin_list` option, SASL and ( )

	plugins
		in audit service ( )
		in cryptographic framework ( )
		loaded by `auditd` daemon ( )
		SASL and ( )

	plus sign (+)
		ACL entry ( )
		audit class prefix ( )
		entry in `sulog` file ( )
		file permissions symbol ( )

	policies
		administering ( ) ( )
		creating (Kerberos) ( )
		creating new (Kerberos) ( )
		deleting ( )
		for auditing ( )
		modifying ( )
		on devices ( )
		overview ( )
		passwords and ( )
		SEAM Administration Tool panels for ( )
		specifying password algorithm ( )
		task map for administering ( )
		viewing attributes ( )
		viewing list of ( )

	policy
		definition in cryptographic framework ( )
		definition in Solaris OS ( )

	`policy.conf` file
		adding password encryption module ( )
		Basic Solaris User rights profile ( )
		description ( ) ( )
		keywords
			for password algorithms ( )
			for privileges ( ) ( )
			for RBAC authorizations ( )
			for rights profiles ( )
		specifying encryption algorithms in ( )
		specifying password algorithm
			in name services ( )
		specifying password algorithms ( )

	port forwarding
		configuring in Solaris Secure Shell ( )
		Solaris Secure Shell ( ) ( )

	`Port` keyword, Solaris Secure Shell ( )

	ports, for Kerberos KDC ( )

	postdated ticket
		definition ( )
		description ( )

	postsigterm string, `audit_warn` script ( )

	pound sign (#)
		`device_allocate` file ( )
		`device_maps` file ( )

	`ppriv` command
		for debugging ( )
		listing privileges ( )

	`praudit` command
		converting audit records to readable format ( ) ( )
		DTD for `-x` option ( )
		options ( )
		output formats ( )
		piping `auditreduce` output to ( )
		use in a script ( )
		viewing audit records ( )
		with no options ( )
		XML format ( )

	`PreferredAuthentications` keyword, `ssh_config` file ( )

	prefixes for audit classes ( )

	preselecting, audit classes ( )

	preselection in auditing ( )

	preselection mask (auditing)
		description ( )
		reducing storage costs ( )
		system-wide ( )

	preventing
		access to system hardware ( )
		audit trail overflow ( )
		executables from compromising security ( )
		kernel software provider use ( )
		use of hardware mechanism ( )

	primary, in principal names ( )

	Primary Administrator (RBAC)
		assuming role ( )
		recommended role ( )
		rights profile contents ( )

	primary audit directory ( )

	principal
		adding administration ( ) ( )
		adding service principal to keytab ( ) ( )
		administering ( ) ( )
		automating creation of ( )
		creating ( )
		creating `clntconfig` ( ) ( )
		creating `host` ( ) ( )
		deleting ( )
		duplicating ( )
		Kerberos ( )
		modifying ( )
		principal name ( )
		removing from keytab file ( )
		removing service principal from keytab ( )
		SEAM Administration Tool panels for ( )
		service principal ( )
		setting up defaults ( )
		task map for administering ( )
		user ID comparison ( )
		user principal ( )
		viewing attributes ( )
		viewing list of ( )
		viewing sublist of principals ( )

	`principal` file, description ( )

	`principal.kadm5` file, description ( )

	`principal.kadm5.lock` file, description ( )

	`principal.ok` file, description ( )

	`principal.ulog` file, description ( )

	principle of least privilege ( )

	print format field, `arbitrary` token ( )

	Printer Management rights profile ( )

	printing, audit log ( )

	`PrintMotd` keyword, `sshd_config` file ( )

	`priv.debug` entry, `syslog.conf` file ( )

	`PRIV_DEFAULT` keyword
		`policy.conf` file ( ) ( )

	`PRIV_LIMIT` keyword
		`policy.conf` file ( ) ( )

	`PRIV_PROC_LOCK_MEMORY` privilege ( ) ( )

	privacy
		availability ( )
		Kerberos and ( )
		security service ( )

	private keys
		See also secret keys
		definition in Kerberos ( )
		Solaris Secure Shell identity files ( )

	private protection level ( )

	`privilege` audit token ( ) ( )

	privilege checking, in applications ( )

	privilege sets
		adding privileges to ( )
		basic ( )
		effective ( )
		inheritable ( )
		limit ( )
		listing ( )
		permitted ( )
		removing privileges from ( )

	privileged application
		authorization checking ( )
		description ( )
		ID checking ( )
		privilege checking ( )

	privileged ports, alternative to Secure RPC ( )

	privileges
		adding to command ( )
		administering ( )
		assigning to a command ( )
		assigning to a script ( )
		assigning to a user ( )
		assigning to user or role ( )
		auditing and ( )
		categories ( )
		commands ( )
		compared to superuser model ( )
		debugging ( ) ( )
		description ( ) ( ) ( )
		determining directly assigned ones ( )
		devices and ( )
		differences from superuser model ( )
		effects on SEAM Administration Tool ( )
		escalation ( )
		executing commands with privilege ( )
		files ( )
		finding missing ( )
		how to use ( )
		implemented in sets ( )
		inherited by processes ( )
		limiting use by user or role ( )
		listing on a process ( )
		`PRIV_PROC_LOCK_MEMORY` ( ) ( )
		processes with assigned privileges ( )
		programs aware of privileges ( )
		protecting kernel processes ( )
		removing from a user ( )
		removing from basic set ( )
		removing from limit set ( )
		task map ( )
		troubleshooting requirements for ( )
		using in shell script ( )

	`privileges` file, description ( )

	`PROC` privileges ( )

	process audit characteristics
		audit ID ( )
		audit session ID ( )
		process preselection mask ( )
		terminal ID ( )

	`process` audit class ( )

	`process` audit token, format ( )

	`process modify` audit class ( )

	process preselection mask, description ( )

	process privileges ( )

	process rights management, See privileges

	`process start` audit class ( )

	processing time costs, of audit service ( )

	`prof_attr` database
		description ( )
		summary ( )

	`.profile` file, path variable entry ( )

	profile shells, description ( )

	profiles, See rights profiles

	`profiles` command, description ( )

	`PROFS_GRANTED` keyword, `policy.conf` file ( )

	programs
		checking for RBAC authorizations ( )
		privilege-aware ( ) ( )

	`project.max-locked-memory` resource control ( ) ( )

	PROM security mode ( )

	propagation
		KDC database ( )
		Kerberos database ( )

	protecting
		BIOS, pointer to ( )
		by using passwords with cryptographic framework ( )
		contents of keystore ( )
		files with cryptographic framework ( )
		PROM ( )
		system from risky programs ( )

	protecting files
		task map ( )
		user procedures ( )
		with ACLs ( )
		with ACLs task map ( )
		with UFS ACLs ( )
		with UNIX permissions ( ) ( )
		with UNIX permissions task map ( )

	protection level
		clear ( )
		private ( )
		safe ( )
		setting in `ftp` ( )

	`Protocol` keyword, `ssh_config` file ( )

	providers
		adding library ( )
		adding software provider ( )
		adding user-level software provider ( )
		connecting to cryptographic framework ( )
		definition as plugins ( ) ( )
		definition in cryptographic framework ( )
		disabling hardware mechanisms ( )
		installing ( )
		listing hardware providers ( )
		listing in cryptographic framework ( )
		preventing use of kernel software provider ( )
		registering ( )
		restoring use of kernel software provider ( )
		signing ( )

	proxiable ticket, definition ( )

	proxy ticket, definition ( )

	`ProxyCommand` keyword, `ssh_config` file ( )

	pseudo-tty, use in Solaris Secure Shell ( )

	`PubkeyAuthentication` keyword, Solaris Secure Shell ( )

	`public` audit policy
		description ( )
		read-only events ( )

	public directories
		auditing ( )
		sticky bit and ( )

	public key authentication, Solaris Secure Shell ( )

	public key cryptography
		`AUTH_DH` client-server session ( )
		changing NFS public keys and secret keys ( )
		common keys
			calculation ( )
		database of public keys for Secure RPC ( )
		generating keys
			conversation keys for Secure NFS ( )
			using Diffie-Hellman ( )
		NFS secret keys ( )

	public key technologies, See PKI

	public keys
		changing passphrase ( )
		DH authentication and ( )
		generating public-private key pair ( )
		Solaris Secure Shell identity files ( )

	public objects, auditing ( )

	`publickey` map, DH authentication ( )

	`pwcheck_method` option, SASL and ( )


Q

	`qsize` attribute, `plugin` entry ( )

	question mark (?), in ASET tune files ( )

	quoting syntax in BART ( )


R

	`-R` option
		`bart create` ( ) ( )
		`ssh` command ( )

	random numbers
		`dd` command ( )
		`pktool` command ( )

	raw `praudit` output format ( )

	RBAC
		adding custom roles ( )
		adding new rights profile ( )
		adding roles ( )
		adding roles from command line ( )
		administration commands ( )
		audit profiles ( )
		auditing roles ( )
		authorization database ( )
		authorizations ( )
		basic concepts ( )
		changing role passwords ( )
		changing user properties
			from command line ( )
		checking scripts or programs for authorizations ( )
		commands for managing ( )
		compared to superuser model ( )
		configuring ( )
		database relationships ( )
		databases ( )
		editing rights profiles ( )
		elements ( )
		modifying roles ( )
		modifying users ( )
		name services and ( )
		planning ( )
		profile shells ( )
		rights profile database ( )
		rights profiles ( )
		securing scripts ( )
		using privileged applications ( )

	RC4, See ARCFOUR kernel provider

	`rcp` command
		Kerberos and ( ) ( )

	`rdist` command, Kerberos and ( )

	`read_kt` command ( ) ( )

	read permissions, symbolic mode ( )

	readable audit record format
		converting audit records to ( ) ( )

	realms (Kerberos)
		configuration decisions ( )
		configuring cross-realm authentication ( )
		contents of ( )
		direct ( )
		hierarchical ( )
		hierarchical or nonhierarchical ( )
		hierarchy ( )
		in principal names ( )
		mapping host names onto ( )
		names ( )
		number of ( )
		requesting tickets for specific ( )
		servers and ( )

	`reauth_timeout` option, SASL and ( )

	redirecting arrow (>), preventing redirection ( )

	reducing
		audit files ( ) ( )
		storage-space requirements for audit files ( )

	refreshing, cryptographic services ( )

	registering providers, cryptographic framework ( )

	`rem_drv` command, description ( )

	remote logins
		authentication ( )
		authorization ( )
		preventing superuser from ( )
		security and ( )

	`RemoteForward` keyword, `ssh_config` file ( )

	removing
		ACL entries ( )
		audit events from `audit_event` file ( )
		cryptographic providers ( ) ( )
		device policy ( )
		policy from device ( )
		principals with `ktremove` command ( )
		privileges from basic set ( )
		privileges from limit set ( )
		service principal from keytab file ( )
		software providers
			permanently ( ) ( )
			temporarily ( )

	renewable ticket, definition ( )

	replacing, superuser with roles ( )

	replayed transactions ( )

	reporting tool, See `bart compare`

	reports
		ASET ( ) ( ) ( )
		BART ( )
		comparing (ASET) ( )
		directory (ASET) ( )

	required control flag, PAM ( )

	requisite control flag, PAM ( )

	resource controls
		privileges, and ( ) ( )
		`project.max-locked-memory` ( ) ( )
		`zone.max-locked-memory` ( ) ( )

	restarting
		audit daemon ( )
		cryptographic services ( )
		`ssh` service ( )
		`sshd` daemon ( )

	restoring, cryptographic providers ( )

	restricted shell (`rsh`) ( )

	restricting
		remote superuser access ( )
		superuser task map ( )
		user privileges ( )

	restricting access for KDC servers ( )

	`RETRIES` in Solaris Secure Shell ( )

	`return` audit token, format ( )

	`rewoffl` option
		`mt` command
			tape device cleanup and ( )

	`.rhosts` file, description ( )

	`RhostsAuthentication` keyword, Solaris Secure Shell ( )

	`RhostsRSAAuthentication` keyword, Solaris Secure Shell ( )

	right, See rights profiles

	rights profiles
		for audit service ( )
		changing contents of ( )
		changing from command line ( )
		contents of typical ( )
		creating
			in Solaris Management Console ( )
			on command line ( )
		creating roles for ( )
		databases
			See `prof_attr` database and `exec_attr` database
		description ( ) ( )
		major rights profiles descriptions ( )
		methods of creating ( )
		modifying ( )
		ordering ( )
		troubleshooting ( )
		using the System Administrator profile ( )
		viewing contents ( )

	Rights tool, description ( )

	`rlogin` command
		Kerberos and ( ) ( )

	`rlogind` daemon, Kerberos and ( )

	role-based access control, See RBAC

	`roleadd` command
		description ( )
		using ( )

	`roledel` command, description ( )

	`rolemod` command
		changing properties of role ( )
		description ( )

	roles
		adding custom roles ( )
		adding for particular profiles ( )
		adding from command line ( )
		assigning privileges to ( )
		assigning with `usermod` command ( )
		assuming ( ) ( )
		assuming after login ( )
		assuming in a terminal window ( ) ( )
		assuming in Solaris Management Console ( )
		assuming Primary Administrator role ( )
		assuming `root` role ( )
		assuming System Administrator role ( )
		auditing ( )
		changing password of ( )
		changing properties of ( )
		creating
			Crypto Management role ( )
			Custom Operator role ( )
			Device Security role ( )
			DHCP Management role ( )
			for particular profiles ( )
			Network Security role ( )
			on command line ( )
			Operator role ( )
			role with limited scope ( )
			`root` role ( )
			security-related roles ( )
			System Administrator role ( )
		description ( )
		determining directly assigned privileges ( )
		determining role's privileged commands ( )
		listing local roles ( ) ( )
		making `root` user into role ( )
		modifying ( )
		modifying assignment to a user ( )
		recommended roles ( )
		summary ( )
		troubleshooting ( )
		use in RBAC ( )
		using an assigned role ( ) ( )
		using to access the hardware ( )

	`roles` command
		description ( )
		using ( )

	`root` principal, adding to host's keytab ( )

	`root` role (RBAC)
		assuming role ( )
		changing back into `root` user ( )
		troubleshooting ( )

	`root` user
		changing from `root` role ( )
		changing to `root` role ( )
		displaying access attempts on console ( )
		login account
			description ( )
		monitoring `su` command attempts ( ) ( )
		replacing in RBAC ( )
		restricting access ( )
		restricting remote access ( ) ( )
		tracking logins ( )

	RPCSEC_GSS API, Kerberos and ( )

	RSA kernel provider ( )

	`RSAAuthentication` keyword, Solaris Secure Shell ( )

	`rsh` command
		Kerberos and ( ) ( )

	`rsh` command (restricted shell) ( )

	`rshd` daemon, Kerberos and ( )

	`rstchown` system variable ( )

	rules file (BART) ( )

	rules file attributes, See keywords

	rules file format (BART) ( )

	rules file specification language, See quoting syntax

	Running ASET task map ( )


S

	`-S` option, `st_clean` script ( )

	safe protection level ( )

	SASL
		environment variable ( )
		options ( )
		overview ( )
		plug-ins ( )

	`saslauthd_path` option, SASL and ( )

	saving, failed login attempts ( )

	scope (RBAC), description ( )

	`scp` command
		copying files with ( )
		description ( )

	scripts
		`audit_startup` script ( )
		`audit_warn` script ( )
		`bsmconv` effect ( )
		`bsmconv` for device allocation ( )
		`bsmconv` script ( )
		`bsmconv` to enable auditing ( )
		checking for RBAC authorizations ( )
		device-clean scripts
			See also device-clean scripts
		for cleaning devices ( )
		monitoring audit files example ( )
		processing `praudit` output ( )
		running with privileges ( )
		securing ( )
		use of privileges in ( )

	SCSI devices, `st_clean` script ( )

	SEAM Administration Tool
		and limited administration privileges ( )
		and list privileges ( )
		and X Window system ( )
		command-line equivalents ( )
		context-sensitive help ( )
		creating a new policy ( ) ( )
		creating a new principal ( )
		default values ( )
		deleting a principal ( )
		deleting policies ( )
		displaying sublist of principals ( )
		duplicating a principal ( )
		files modified by ( )
		Filter Pattern field ( )
		`gkadmin` command ( )
		`.gkadmin` file ( )
		help ( )
		Help Contents ( )
		how affected by privileges ( )
		`kadmin` command ( )
		login window ( )
		modifying a policy ( )
		modifying a principal ( )
		online help ( )
		or `kadmin` command ( )
		overview ( )
		panel descriptions ( )
		privileges ( )
		setting up principal defaults ( )
		starting ( )
		table of panels ( )
		viewing a principal's attributes ( )
		viewing list of policies ( )
		viewing list of principals ( )
		viewing policy attributes ( )

	secondary audit directory ( )

	secret keys
		creating ( ) ( )
		generating
			using the `dd` command ( )
			using the `pktool` command ( )
		generating for Secure RPC ( )

	Secure by Default installation option ( )

	secure connection
		across a firewall ( )
		logging in ( )

	Secure NFS ( )

	Secure RPC
		alternative ( )
		and Kerberos ( )
		description ( )
		implementation of ( )
		keyserver ( )
		overview ( )

	securing
		logins task map ( )
		network at installation ( )
		passwords task map ( )
		scripts ( )

	security
		across insecure network ( )
		auditing and ( )
		BART ( )
		computing digest of files ( )
		computing MAC of files ( )
		devices ( )
		DH authentication ( )
		encrypting files ( )
		installation options ( )
		Kerberos authentication ( )
		`netservices limited` installation option ( )
		NFS client-server ( )
		password encryption ( )
		pointer to JASS toolkit ( )
		policy overview ( )
		preventing remote login ( )
		protecting against denial of service ( )
		protecting against Trojan horse ( )
		protecting devices ( )
		protecting hardware ( )
		protecting PROM ( )
		Secure by Default ( )
		system hardware ( )

	security attributes
		checking for ( )
		considerations when directly assigning ( )
		description ( )
		Printer management rights profile ( )
		privileges on commands ( )
		special ID on commands ( )
		using to mount allocated device ( )

	security mechanism, specifying with `-m` option ( )

	security modes, setting up environment with multiple ( )

	security policy, default (RBAC) ( )

	security service, Kerberos and ( )

	selecting
		audit classes ( )
		audit records ( )
		events from audit trail ( )

	semicolon (;)
		`device_allocate` file ( )
		separator of security attributes ( )

	`sendmail` command, authorizations required ( )

	`seq` audit policy
		and `sequence` token ( ) ( )
		description ( )

	`sequence` audit token
		and `seq` audit policy ( )
		format ( )

	`ServerKeyBits` keyword, `sshd_config` file ( )

	servers
		`AUTH_DH` client-server session ( )
		configuring for Solaris Secure Shell ( )
		definition in Kerberos ( )
		gaining access with Kerberos ( )
		obtaining credential for ( )
		realms and ( )

	service
		definition in Kerberos ( )
		disabling on a host ( )
		obtaining access for specific service ( )

	service keys
		definition in Kerberos ( )
		keytab files and ( )

	service management facility
		enabling keyserver ( )
		refreshing cryptographic framework ( )
		restarting cryptographic framework ( )
		restarting Solaris Secure Shell ( )

	Service Management Facility (SMF), See SMF

	service principal
		adding to keytab file ( ) ( )
		description ( )
		planning for names ( )
		removing from keytab file ( )

	session ID, audit ( )

	session keys
		definition in Kerberos ( )
		Kerberos authentication and ( )

	`setfacl` command
		`-d` option ( )
		`-f` option ( )
		description ( )
		examples ( )
		syntax ( )

	`setgid` permissions
		absolute mode ( ) ( )
		description ( )
		security risks ( )
		symbolic mode ( )

	`setpin` subcommand, `pktool` command ( )

	setting
		`arge` policy ( )
		`argv` policy ( )
		audit policy ( )
		principal defaults (Kerberos) ( )

	`setuid` permissions
		absolute mode ( ) ( )
		description ( )
		finding files with permissions set ( )
		security risks ( ) ( )
		symbolic mode ( )

	`sftp` command
		auditing file transfers ( )
		copying files with ( )
		description ( )

	`sh` command, privileged version ( )

	SHA1 kernel provider ( )

	sharing files
		and network security ( )
		with DH authentication ( )

	shell, privileged versions ( )

	shell commands
		`/etc/d_passwd` file entries ( )
		passing parent shell process number ( )

	shell process, listing its privileges ( )

	shell scripts, writing privileged ( )

	short `praudit` output format ( )

	`shosts.equiv` file, description ( )

	`.shosts` file, description ( )

	signal received during auditing shutdown ( )

	signing providers, cryptographic framework ( )

	single-sign-on system ( )
		Kerberos and ( )

	size of audit files
		reducing ( ) ( )
		reducing storage-space requirements ( )

	`slave_datatrans` file
		description ( )
		KDC propagation and ( )

	`slave_datatrans_slave` file, description ( )

	slave KDCs
		configuring ( )
		definition ( )
		master KDC and ( )
		or master ( )
		planning for ( )
		swapping with master KDC ( )

	slot, definition in cryptographic framework ( )

	smartcard documentation, pointer to ( )

	`smattrpop` command, description ( )

	`smexec` command, description ( )

	SMF, managing Secure by Default configuration ( )

	`smmultiuser` command, description ( )

	`smprofile` command
		changing rights profile ( )
		description ( )

	`smrole` command
		changing properties of role ( ) ( )
		description ( )
		using ( )

	`smuser` command
		changing user's RBAC properties ( )
		description ( )

	`socket` audit token ( )

	soft limit
		`audit_warn` condition ( )
		`minfree` line description ( )

	soft string, `audit_warn` script ( )

	Solaris auditing task map ( )

	Solaris Cryptographic Framework, See cryptographic framework

	`solaris.device.revoke` authorization ( )

	Solaris Secure Shell
		adding to system ( )
		administering ( )
		administrator task map ( ) ( )
		authentication
			requirements for ( )
		authentication methods ( )
		authentication steps ( )
		basis from OpenSSH ( )
		changes in current release ( )
		changing passphrase ( )
		command execution ( )
		configuring clients ( )
		configuring port forwarding ( )
		configuring server ( )
		connecting across a firewall ( )
		connecting outside firewall
			from command line ( )
			from configuration file ( )
		copying files ( )
		creating keys ( )
		data forwarding ( )
		description ( )
		files ( )
		forwarding mail ( )
		generating keys ( )
		keywords ( )
		local port forwarding ( ) ( )
		logging in fewer prompts ( )
		logging in to remote host ( )
		login environment variables and ( )
		naming identity files ( )
		packages ( )
		protocol versions ( )
		public key authentication ( )
		remote port forwarding ( )
		`scp` command ( )
		TCP and ( )
		typical session ( )
		user procedures ( )
		using port forwarding ( )
		using without password ( )

	`solaris` security policy ( )

	special permissions
		`setgid` permissions ( )
		`setuid` permissions ( )
		sticky bit ( )

	square brackets (`[]`), `bsmrecord` output ( )

	`sr_clean` script, description ( )

	`ssh-add` command
		description ( )
		example ( ) ( )
		storing private keys ( )

	`ssh-agent` command
		configuring for CDE ( )
		description ( )
		from command line ( )
		in scripts ( )

	`ssh` command
		description ( )
		overriding keyword settings ( )
		port forwarding options ( )
		using ( )
		using a proxy command ( )

	`.ssh/config` file
		description ( )
		override ( )

	`ssh_config` file
		configuring Solaris Secure Shell ( )
		host-specific parameters ( )
		keywords ( )
			See specific keyword
		override ( )

	`.ssh/environment` file, description ( )

	`ssh_host_dsa_key` file, description ( )

	`ssh_host_dsa_key.pub` file, description ( )

	`ssh_host_key` file
		description ( )
		override ( )

	`ssh_host_key.pub` file, description ( )

	`ssh_host_rsa_key` file, description ( )

	`ssh_host_rsa_key.pub` file, description ( )

	`.ssh/id_dsa` file ( )

	`.ssh/id_rsa` file ( )

	`.ssh/identity` file ( )

	`ssh-keygen` command
		description ( )
		using ( )

	`ssh-keyscan` command, description ( )

	`ssh-keysign` command, description ( )

	`.ssh/known_hosts` file
		description ( )
		override ( )

	`ssh_known_hosts` file ( )

	`.ssh/rc` file, description ( )

	`sshd` command, description ( )

	`sshd_config` file
		description ( )
		keywords ( )
			See specific keyword
		overrides of `/etc/default/login` entries ( )

	`sshd.pid` file, description ( )

	`sshrc` file, description ( )

	`st_clean` script
		description ( )
		for tape drives ( )

	standard cleanup, `st_clean` script ( )

	starting
		ASET from shell ( )
		ASET interactively ( )
		audit daemon ( )
		auditing ( )
		device allocation ( )
		KDC daemon ( ) ( )
		running ASET periodically ( )
		Secure RPC keyserver ( )

	stash file
		creating ( ) ( )
		definition ( )

	sticky bit permissions
		absolute mode ( ) ( )
		description ( )
		symbolic mode ( )

	stopping, dial-up logins temporarily ( )

	storage costs, and auditing ( )

	storage overflow prevention, audit trail ( )

	storing
		audit files ( ) ( )
		passphrase ( )

	`StrictHostKeyChecking` keyword, `ssh_config` file ( )

	`StrictModes` keyword, `sshd_config` file ( )

	`su` command
		displaying access attempts on console ( )
		in role assumption ( ) ( )
		monitoring use ( )

	`su` file, monitoring `su` command ( )

	`subject` audit token, format ( )

	`Subsystem` keyword, `sshd_config` file ( )

	success
		audit class prefix ( )
		turning off audit classes for ( )

	sufficient control flag, PAM ( )

	`sulog` file ( )
		monitoring contents of ( )

	Sun Crypto Accelerator 1000 board, listing mechanisms ( )

	Sun Crypto Accelerator 6000 board
		hardware plugin to cryptographic framework ( )
		listing mechanisms ( )

	`SUPATH` in Solaris Secure Shell ( )

	superuser
		compared to privilege model ( )
		compared to RBAC model ( )
		differences from privilege model ( )
		eliminating in RBAC ( )
		monitoring access attempts ( )
		troubleshooting becoming `root` as a role ( )
		troubleshooting remote access ( )

	`suser` security policy ( )

	`svcadm` command
		administering cryptographic framework ( ) ( )
		enabling cryptographic framework ( )
		enabling keyserver daemon ( )
		refreshing cryptographic framework ( )
		restarting name service ( )
		restarting NFS server ( )
		restarting Solaris Secure Shell ( )
		restarting `syslog` daemon ( ) ( )

	`svcs` command
		listing cryptographic services ( )
		listing keyserver service ( )

	swapping master and slave KDCs ( )

	symbolic links, file permissions ( )

	symbolic mode
		changing file permissions ( ) ( ) ( )
		description ( )

	synchronizing clocks
		master KDC ( ) ( )
		overview ( )
		slave KDC ( ) ( )

	`SYS` privileges ( )

	`sysconf.rpt` file ( ) ( )

	`syslog.conf` file
		and auditing ( )
		`audit.notice` level ( )
		audit records ( )
		executable stack messages ( )
		`kern.notice` level ( )
		`priv.debug` entry ( )
		saving failed login attempts ( )

	`SYSLOG_FAILED_LOGINS`
		in Solaris Secure Shell ( )
		system variable ( )

	`syslog` format, audit records ( )

	`SyslogFacility` keyword, `sshd_config` file ( )

	System Administrator (RBAC)
		assuming role ( )
		creating role ( )
		protecting hardware ( )
		recommended role ( )
		rights profile ( )

	system calls
		`arg` audit token ( )
		`close` ( )
		`exec_args` audit token ( )
		`exec_env` audit token ( )
		`ioctl()` ( )
		ioctl to clean audio device ( )
		`return` audit token ( )

	`system` file, `bsmconv` effect on ( )

	system hardware, controlling access to ( )

	system properties, privileges relating to ( )

	system security
		dial-up logins and passwords ( )
		dial-up passwords
			disabling temporarily ( )
		displaying
			user's login status ( ) ( )
			users with no passwords ( )
		firewall systems ( )
		hardware protection ( ) ( )
		login access restrictions ( ) ( )
		machine access ( )
		overview ( )
		password encryption ( )
		passwords ( )
		privileges ( )
		protecting from risky programs ( )
		restricted shell ( ) ( )
		restricting remote `root` access ( )
		role-based access control (RBAC) ( ) ( )
		`root` access restrictions ( ) ( )
		saving failed login attempts ( )
		special logins ( )
		`su` command monitoring ( ) ( )
		task map ( )
		UFS ACLS ( )

	`system state` audit class ( )

	System V IPC
		`ipc` audit class ( )
		`ipc` audit token ( )
		`ipc_perm` audit token ( )
		privileges ( )

	system variables
		See also variables
		`CRYPT_DEFAULT` ( )
		`KEYBOARD_ABORT` ( )
		`noexec_user_stack` ( )
		`noexec_user_stack_log` ( )
		`rstchown` ( )
		`SYSLOG_FAILED_LOGINS` ( )

	`system-wide administration` audit class ( )

	systems, protecting from risky programs ( )


T

	tables, `gsscred` ( )

	`tail` command, example of use ( )

	tape drives
		allocating ( )
		cleaning of data ( )
		device-clean scripts ( )

	task maps
		administering cryptographic framework ( )
		administering policies (Kerberos) ( )
		administering principals (Kerberos) ( )
		administering Secure RPC ( )
		allocating devices ( )
		ASET ( )
		auditing ( )
		changing default algorithm for password encryption ( )
		configuring audit files ( )
		configuring audit service ( )
		configuring device policy ( )
		configuring devices ( )
		configuring Kerberos NFS servers ( )
		configuring RBAC ( )
		configuring Solaris Secure Shell ( )
		controlling access to system hardware ( )
		cryptographic framework ( )
		device allocation ( )
		device policy ( )
		devices ( )
		enabling audit service ( )
		Kerberos configuration ( )
		Kerberos maintenance ( )
		managing and using privileges ( )
		managing audit records ( )
		managing device allocation ( )
		managing device policy ( )
		managing RBAC ( )
		monitoring and restricting superuser ( )
		PAM ( )
		planning auditing ( )
		protecting against programs with security risk ( )
		protecting files ( )
		protecting files with ACLs ( )
		protecting files with cryptographic mechanisms ( )
		protecting files with UNIX permissions ( )
		protecting system hardware ( )
		running ASET ( )
		securing logins and passwords ( )
		securing systems ( )
		Solaris Secure Shell ( )
		system access ( )
		troubleshooting Solaris auditing ( )
		Using BART task map ( )
		using device allocation ( )
		using RBAC ( )
		using roles ( )
		using Solaris Secure Shell ( )
		using the cryptographic framework ( )
		Using the Key Management Framework (Task Map) ( )

	`TASKS` variable (ASET) ( ) ( )

	`taskstat` command (ASET) ( ) ( )

	TCP
		addresses ( )
		Solaris Secure Shell and ( ) ( )

	`telnet` command
		Kerberos and ( ) ( )

	`telnetd` daemon, Kerberos and ( )

	terminal ID, audit ( )

	terminating, signal received during auditing shutdown ( )

	terminology
		authentication-specific ( )
		Kerberos ( )
		Kerberos-specific ( )

	test manifests ( )

	`text` audit token, format ( )

	TGS, getting credential for ( )

	TGT, in Kerberos ( )

	third-party password algorithms, adding ( )

	ticket file, See credential cache

	ticket-granting service, See TGS

	ticket-granting ticket, See TGT

	tickets
		`-F` option or `-f` option ( )
		`-k` option ( )
		creating ( )
		creating with `kinit` ( )
		definition ( )
		definition in Kerberos ( )
		destroying ( )
		file
			See credential cache
		forwardable ( ) ( ) ( ) ( )
		initial ( )
		invalid ( )
		`klist` command ( )
		lifetime ( )
		maximum renewable lifetime ( )
		obtaining ( )
		or credentials ( )
		postdatable ( )
		postdated ( )
		proxiable ( )
		proxy ( )
		renewable ( )
		requesting for specific realm ( )
		types of ( )
		viewing ( )
		warning about expiration ( )

	`TIMEOUT` in Solaris Secure Shell ( )

	timestamps
		ASET reports ( )
		audit files ( )

	`/tmp/krb5cc_`uid file, description ( )

	`/tmp/ovsec_adm.`xxxxx file, description ( )

	tmpfile string, `audit_warn` script ( )

	TMPFS file system, security ( )

	token, definition in cryptographic framework ( )

	`trail` audit policy
		and `trailer` token ( )
		description ( )

	`trailer` audit token
		format ( )
		order in audit record ( )
		`praudit` display ( )

	transparency, definition in Kerberos ( )

	Trojan horse ( )

	troubleshooting
		allocating a device ( )
		ASET errors ( )
		audit classes
			customized ( ) ( )
		auditing ( )
		becoming superuser ( )
		computer break-in attempts ( )
		`encrypt` command ( ) ( )
		finding files with `setuid` permissions ( )
		Kerberos ( )
		lack of privilege ( )
		`list_devices` command ( )
		mounting a device ( )
		`praudit` command ( )
		preventing programs from using executable stacks ( )
		privilege requirements ( )
		remote superuser access ( )
		rights profiles ( )
		role capabilities ( )
		`root` as a role ( )
		terminal where `su` command originated ( )
		user running privileged commands ( )

	`truss` command, for privilege debugging ( )

	trusted hosts ( )

	tune files (ASET)
		description ( )
		examples ( ) ( )
		modifying ( )
		rules ( )

	`tune.rpt` file ( ) ( )

	types of tickets ( )

	`TZ` in Solaris Secure Shell ( )


U

	`-U` option
		`allocate` command ( )
		`list_devices` command ( )

	`uauth` audit token ( ) ( )

	UDP
		addresses ( )
		port forwarding and ( )
		Solaris Secure Shell and ( )
		using for remote audit logs ( )

	`uid_aliases` file (ASET) ( ) ( )

	`UID_ALIASES` variable (ASET) ( ) ( ) ( )

	`umask` value
		and file creation ( )
		typical settings ( )

	`umount` command, with security attributes ( )

	uninstalling, cryptographic providers ( )

	UNIX file permissions, See files, permissions

	unmounting, allocated devices ( )

	`update_drv` command
		description ( )
		using ( )

	updating, audit service ( )

	`upriv` audit token ( )

	URL for online help, Graphical Kerberos Tool ( )

	`use_authid` option, SASL and ( )

	`UseLogin` keyword, `sshd_config` file ( )

	`UseOpenSSLEngine` keyword
		`ssh_config` file ( )
		`sshd_config` file ( )

	user accounts
		See also users
		ASET check ( )
		displaying login status ( ) ( )

	User Accounts tool, description ( )

	user ACL entries
		default entries for directories ( )
		description ( )
		setting ( )

	`user administration` audit class ( )

	`user_attr` database
		`defaultpriv` keyword ( )
		description ( ) ( )
		`limitpriv` keyword ( )
		RBAC relationships ( )

	user audit fields, `audit_user` database ( )

	user classes of files ( )

	user database (RBAC), See `user_attr` database

	user ID
		audit ID and ( ) ( )
		in NFS services ( )

	`User` keyword, `ssh_config` file ( )

	user principal, description ( )

	user procedures
		allocating devices ( )
		assuming a role ( ) ( )
		`chkey` command ( )
		computing digest of a file ( )
		computing MAC of a file ( )
		creating self-signed certificate ( )
		decrypting files ( )
		encrypting files ( )
		encrypting NIS user's private key ( )
		exporting certificates ( )
		generating a symmetric key
			using the `dd` command ( )
			using the `pktool` command ( )
		generating passphrase for keystore ( )
		importing certificates ( )
		protecting files ( )
		using ACLs ( )
		using an assigned role ( ) ( )
		using `pktool` command ( )
		using Solaris Secure Shell ( )

	user scripts, configuring for `ssh-agent` daemon in CDE ( )

	`useradd` command
		adding local user ( )
		description ( )

	`userdel` command, description ( )

	`UserKnownHostsFile` keyword, `ssh_config` file ( )

	`UserKnownHostsFile2` keyword, See `UserKnownHostsFile` keyword

	`usermod` command
		changing user's RBAC properties ( )
		description ( )
		using to assign role ( )

	users
		adding local user ( )
		allocating devices ( )
		assigning allocate authorization to ( )
		assigning privileges to ( )
		assigning RBAC defaults ( )
		auditing all of their commands ( )
		basic privilege set ( )
		changing properties from command line ( )
		computing digest of files ( )
		computing MAC of files ( )
		creating local user ( )
		deallocating devices ( )
		determining directly assigned privileges ( )
		determining own privileged commands ( )
		disabling login ( )
		displaying login status ( )
		encrypting files ( )
		generating a symmetric key ( )
		having no passwords ( )
		initial inheritable privileges ( )
		modifying audit preselection mask of ( )
		modifying properties (RBAC) ( )
		mounting allocated devices ( )
		restricting basic privileges ( )
		troubleshooting running privileged commands ( )
		unmounting allocated devices ( )

	using
		ACLs ( )
		`allocate` command ( )
		ASET ( )
		BART ( )
		`cryptoadm` command ( )
		cryptographic framework task map ( )
		`dd` command ( )
		`deallocate` command ( )
		device allocation ( ) ( )
		`digest` command ( )
		`encrypt` command ( )
		file permissions ( )
		`mac` command ( )
		`mount` command ( )
		new password algorithm ( )
		`pktool` command ( )
		`ppriv` command ( ) ( )
		privileges ( )
		privileges task map ( )
		RBAC task map ( )
		roles ( )
		roles task map ( )
		`smrole` command ( )
		Solaris Secure Shell task map ( )
		`ssh-add` command ( )
		`ssh-agent` daemon ( )
		`truss` command ( )
		`umount` command ( )
		`usermod` command ( )

	Using the Key Management Framework (Task Map) ( )

	`/usr/aset/asetenv` file ( ) ( )

	`/usr/aset` directory ( )

	`/usr/aset/masters/tune` files
		description ( )
		modifying ( )
		rules ( )

	`/usr/aset/masters/uid_aliases` file ( )

	`/usr/aset/reports` directory, structure ( )

	`/usr/aset/reports` directory structure ( )

	`/usr/aset/reports/latest` directory ( )

	`/usr/bin/ftp` command, Kerberos and ( )

	`/usr/bin/kdestroy` command, Kerberos and ( )

	`/usr/bin/kinit` command, Kerberos and ( )

	`/usr/bin/klist` command, Kerberos and ( )

	`/usr/bin/kpasswd` command, Kerberos and ( )

	`/usr/bin/ktutil` command, Kerberos and ( )

	`/usr/bin/rcp` command, Kerberos and ( )

	`/usr/bin/rdist` command, Kerberos and ( )

	`/usr/bin/rlogin` command, Kerberos and ( )

	`/usr/bin/rsh` command, Kerberos and ( )

	`/usr/bin/telnet` command, Kerberos and ( )

	`/usr/lib/kprop` command, description ( )

	`/usr/lib/krb5/kadmind` daemon, Kerberos and ( )

	`/usr/lib/krb5/kpropd` daemon, Kerberos and ( )

	`/usr/lib/krb5/krb5kdc` daemon, Kerberos and ( )

	`/usr/lib/krb5/ktkt_warnd` daemon, Kerberos and ( )

	`/usr/lib/libsasl.so` library, overview ( )

	`/usr/sbin/gkadmin` command, description ( )

	`/usr/sbin/gsscred` command, description ( )

	`/usr/sbin/in.ftpd` daemon, Kerberos and ( )

	`/usr/sbin/in.rlogind` daemon, Kerberos and ( )

	`/usr/sbin/in.rshd` daemon, Kerberos and ( )

	`/usr/sbin/in.telnetd` daemon, Kerberos and ( )

	`/usr/sbin/kadmin` command, description ( )

	`/usr/sbin/kadmin.local` command, description ( )

	`/usr/sbin/kclient` command, description ( )

	`/usr/sbin/kdb5_ldap_util` command, description ( )

	`/usr/sbin/kdb5_util` command, description ( )

	`/usr/sbin/kgcmgr` command, description ( )

	`/usr/sbin/kproplog` command, description ( )

	`/usr/share/lib/xml` directory ( )

	`usrgrp.rpt` file
		description ( ) ( )
		example ( )

	`uucico` command, login program ( )


V

	v1 protocol, Solaris Secure Shell ( )

	v2 protocol, Solaris Secure Shell ( )

	`/var/adm/auditlog` file, text audit records ( )

	`/var/adm/loginlog` file, saving failed login attempts ( )

	`/var/adm/messages` file
		executable stack messages ( )
		troubleshooting auditing ( )

	`/var/adm/sulog` file, monitoring contents of ( )

	`/var/krb5/.k5.`REALM file, description ( )

	`/var/krb5/kadmin.log` file, description ( )

	`/var/krb5/kdc.log` file, description ( )

	`/var/krb5/principal` file, description ( )

	`/var/krb5/principal.kadm5` file, description ( )

	`/var/krb5/principal.kadm5.lock` file, description ( )

	`/var/krb5/principal.ok` file, description ( )

	`/var/krb5/principal.ulog` file, description ( )

	`/var/krb5/slave_datatrans` file, description ( )

	`/var/krb5/slave_datatrans_slave` file, description ( )

	`/var/log/authlog` file, failed logins ( )

	`/var/log/syslog` file, troubleshooting auditing ( )

	`/var/run/sshd.pid` file, description ( )

	variables
		adding to audit record ( ) ( )
		ASET environment variables
			`ASETDIR` ( )
			`ASETSECLEVEL` ( )
			`CKLISTPATH_level` ( ) ( ) ( )
			`PERIODIC_SCHEDULE` ( ) ( )
			summary ( )
			`TASKS` ( ) ( )
			`UID_ALIASES` ( ) ( ) ( )
			`YPCHECK` ( ) ( )
		auditing those associated with a command ( )
		for proxy servers and ports ( )
		`KEYBOARD_ABORT` ( )
		`login` and Solaris Secure Shell ( )
		`noexec_user_stack` ( )
		`noexec_user_stack_log` ( )
		`rstchown` ( )
		setting in Solaris Secure Shell ( )

	verifiers
		description ( )
		returned to NFS client ( )
		window ( )

	`VerifyReverseMapping` keyword, `ssh_config` file ( )

	viewing
		ACL entries ( )
		audit record formats ( )
		available cryptographic mechanisms ( ) ( )
		binary audit files ( )
		contents of rights profiles ( )
		cryptographic mechanisms
			available ( ) ( )
			existing ( ) ( ) ( )
		device allocation information ( )
		device policy ( )
		digest of a file ( )
		directly assigned privileges ( )
		existing cryptographic mechanisms ( ) ( )
		file permissions ( )
		keylist buffer with `list` command ( ) ( )
		list of policies ( )
		list of principals ( )
		MAC of a file ( )
		policy attributes ( )
		principal's attributes ( )
		privileges in a shell ( ) ( )
		privileges on a process ( )
		tickets ( )
		user's login status ( )
		users with no passwords ( )
		XML audit records ( ) ( )

	viruses
		denial of service attack ( )
		Trojan horse ( )

	`vnode` audit token, format ( )

	`vold` daemon, turned off by device allocation ( )


W

	`warn.conf` file, description ( )

	warning about ticket expiration ( )

	wildcard characters
		for hosts in Solaris Secure Shell ( )
		in ASET files ( )
		in ASET tune files ( )
		in RBAC authorizations ( )

	window verifier ( )

	write permissions, symbolic mode ( )


X

	`-X` option, Kerberized commands ( )

	X Window system, and SEAM Administration Tool ( )

	X11 forwarding
		configuring in `ssh_config` file ( )
		in Solaris Secure Shell ( )

	`X11DisplayOffset` keyword, `sshd_config` file ( )

	`X11Forwarding` keyword, `sshd_config` file ( )

	`X11UseLocalHost` keyword, `sshd_config` file ( )

	`xauth` command, X11 forwarding ( )

	`XAuthLocation` keyword, Solaris Secure Shell port forwarding ( )

	XML format, audit records ( )

	XML option, `praudit` command ( )

	Xylogics tape drive device-clean script ( )


Y

	`YPCHECK` variable (ASET) ( ) ( )


Z

	`zone.max-locked-memory` resource control ( ) ( )

	`zonename` audit policy
		description ( )
		using ( ) ( )

	`zonename` audit token ( ) ( )

	zones
		auditing and ( ) ( )
		configuring auditing in global zone ( )
		cryptographic framework and ( )
		cryptographic services and ( )
		devices and ( )
		`perzone` audit policy ( ) ( ) ( )
		planning auditing in ( )
		`zonename` audit policy ( ) ( )