Solaris 9 Security Ashish Daniel Wilfred Niit Corporation

Solaris 9 Security Ashish Daniel Wilfred Niit
Corporation download
https://ebookbell.com/product/solaris-9-security-ashish-daniel-
wilfred-niit-corporation-4126176
Explore and download more ebooks at ebookbell.com

Here are some recommended products that we believe you will be
interested in. You can click the link to download.
Solaris 9 Security 1st Edition Ashish Wilfred
https://ebookbell.com/product/solaris-9-security-1st-edition-ashish-
wilfred-999348
Sun Certified Security Administrator For Solaris 9 And 10 Study Guide
1st Edition John Chirillo
https://ebookbell.com/product/sun-certified-security-administrator-
for-solaris-9-and-10-study-guide-1st-edition-john-chirillo-920236
Solaris 10 Security Essentials Press Sun Microsystemscreator
https://ebookbell.com/product/solaris-10-security-essentials-press-
sun-microsystemscreator-22123630
Solaris 9 For Dummies Dave Taylor
https://ebookbell.com/product/solaris-9-for-dummies-dave-taylor-931446

Solaris 9 System Administration Exam Cram 2 Exam Cram Cx310014
Cx310015 Bill Calkins
https://ebookbell.com/product/solaris-9-system-administration-exam-
cram-2-exam-cram-cx310014-cx310015-bill-calkins-972654
Solaris 9 Sun Certified System Administrator Study Guide Quentin
Docter
https://ebookbell.com/product/solaris-9-sun-certified-system-
administrator-study-guide-quentin-docter-975150
Solaris 9 Network Administration Exam Cram 2 Exam Cram Cx310044 John
Philcox
https://ebookbell.com/product/solaris-9-network-administration-exam-
cram-2-exam-cram-cx310044-john-philcox-981038
Solaris 9 Sun Certified System Administrator Study Guide
https://ebookbell.com/product/solaris-9-sun-certified-system-
administrator-study-guide-1215236
Inside Solaris 9 Bill Calkins
https://ebookbell.com/product/inside-solaris-9-bill-calkins-974008

System Administration Guide:
Security Services
Sun Microsystems, Inc.
4150 Network Circle
Santa Clara, CA 95054
U.S.A.
Part No: 816–4557–11
December 2005

Copyright 2005 Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In
particular, and without limitation, these intellectual property rights may include one or more U.S. patents or pending patent applications in the U.S.
and in other countries.
U.S. Government Rights – Commercial software. Government users are subject to the Sun Microsystems, Inc. standard license agreement and
applicable provisions of the FAR and its supplements.
This distribution may include materials developed by third parties.
Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S.
and other countries, exclusively licensed through X/Open Company, Ltd.
Sun, Sun Microsystems, the Sun logo, the Solaris logo, the Java Coffee Cup logo, docs.sun.com, SunOS, Java, JumpStart, Trusted Solaris, Java, and
Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under
license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks
are based upon an architecture developed by Sun Microsystems, Inc. Xylogics product is protected by copyright and licensed to Sun by Xylogics.
Xylogics and Annex are trademarks of Xylogics, Inc., Portions of the software copyright 1996 by the Massachusetts Institute of Technology. All rights
reserved.
The OPEN LOOK and Sun™ Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the
pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a
non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s licensees who implement OPEN LOOK GUIs
and otherwise comply with Sun’s written license agreements.
Products covered by and information contained in this publication are controlled by U.S. Export Control laws and may be subject to the export or
import laws in other countries. Nuclear, missile, chemical or biological weapons or nuclear maritime end uses or end users, whether direct or indirect,
are strictly prohibited. Export or reexport to countries subject to U.S. embargo or to entities identified on U.S. export exclusion lists, including, but not
limited to, the denied persons and specially designated nationals lists is strictly prohibited.
DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES,
INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
Copyright 2005 Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 U.S.A. Tous droits réservés.
Sun Microsystems, Inc. détient les droits de propriété intellectuelle relatifs à la technologie incorporée dans le produit qui est décrit dans ce document.
En particulier, et ce sans limitation, ces droits de propriété intellectuelle peuvent inclure un ou plusieurs brevets américains ou des applications de
brevet en attente aux Etats-Unis et dans d’autres pays.
Cette distribution peut comprendre des composants développés par des tierces personnes.
Certaines composants de ce produit peuvent être dérivées du logiciel Berkeley BSD, licenciés par l’Université de Californie. UNIX est une marque
déposée aux Etats-Unis et dans d’autres pays; elle est licenciée exclusivement par X/Open Company, Ltd.
Sun, Sun Microsystems, le logo Sun, le logo Solaris, le logo Java Coffee Cup, docs.sun.com, SunOS, Java, JumpStart, Trusted Solaris, Java et Solaris
sont des marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d’autres pays. Toutes les marques SPARC
sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International, Inc. aux Etats-Unis et dans d’autres
pays. Les produits portant les marques SPARC sont basés sur une architecture développée par Sun Microsystems, Inc. Le produit de Xylogics est
protégé par le copyright et autorisé au Sun par Xylogics. Xylogics et Annex sont des marques déposées de Xylogics, Inc.; Copyright 1996 des portions
du logiciel par Massachusetts Institute of Technology. Tous droits réservés.
L’interface d’utilisation graphique OPEN LOOK et Sun™ a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun reconnaît
les efforts de pionniers de Xerox pour la recherche et le développement du concept des interfaces d’utilisation visuelle ou graphique pour l’industrie
de l’informatique. Sun détient une licence non exclusive de Xerox sur l’interface d’utilisation graphique Xerox, cette licence couvrant également les
licenciés de Sun qui mettent en place l’interface d’utilisation graphique OPEN LOOK et qui, en outre, se conforment aux licences écrites de Sun.
Les produits qui font l’objet de cette publication et les informations qu’il contient sont régis par la legislation américaine en matière de contrôle des
exportations et peuvent être soumis au droit d’autres pays dans le domaine des exportations et importations. Les utilisations finales, ou utilisateurs
finaux, pour des armes nucléaires, des missiles, des armes chimiques ou biologiques ou pour le nucléaire maritime, directement ou indirectement, sont
strictement interdites. Les exportations ou réexportations vers des pays sous embargo des Etats-Unis, ou vers des entités figurant sur les listes
d’exclusion d’exportation américaines, y compris, mais de manière non exclusive, la liste de personnes qui font objet d’un ordre de ne pas participer,
d’une façon directe ou indirecte, aux exportations des produits ou des services qui sont régis par la legislation américaine en matière de contrôle des
exportations et la liste de ressortissants spécifiquement designés, sont rigoureusement interdites.
LA DOCUMENTATION EST FOURNIE "EN L’ETAT" ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES EXPRESSES OU
TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y COMPRIS NOTAMMENT TOUTE
GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L’APTITUDE A UNE UTILISATION PARTICULIERE OU A L’ABSENCE DE
CONTREFACON.
051029@13215

Contents
Preface 23
Part I Security Overview 27
1 Security Services (Overview) 29
System Security 29
Solaris Cryptographic Services 30
Authentication Services 31
Authentication With Encryption 32
Solaris Auditing 32
Security Policy 33
Part II System, File, and Device Security 35
2 Managing Machine Security (Overview) 37
Enhancements to Machine Security in the Solaris 10 Release 37
Controlling Access to a Computer System 38
Maintaining Physical Security 38
Maintaining Login Control 39
Controlling Access to Devices 44
Device Policy (Overview) 45
Device Allocation (Overview) 46
Controlling Access to Machine Resources 46
Limiting and Monitoring Superuser 46
Configuring Role-Based Access Control to Replace Superuser 47
3

Preventing Unintentional Misuse of Machine Resources 47
Restricting setuid Executable Files 49
Using the Automated Security Enhancement Tool 49
Using the Solaris Security Toolkit 49
Using Solaris Resource Management Features 50
Using Solaris Zones 50
Monitoring Use of Machine Resources 50
Monitoring File Integrity 50
Controlling Access to Files 51
Protecting Files With Encryption 51
Using Access Control Lists 51
Sharing Files Across Machines 52
Restricting root Access to Shared Files 52
Controlling Network Access 52
Network Security Mechanisms 53
Authentication and Authorization for Remote Access 54
Firewall Systems 55
Encryption and Firewall Systems 56
Reporting Security Problems 57
3 Controlling Access to Systems (Tasks) 59
Controlling System Access (Task Map) 59
Securing Logins and Passwords (Task Map) 60
Securing Logins and Passwords 60
▼ How to Display a User’s Login Status 61
▼ How to Display Users Without Passwords 62
▼ How to Temporarily Disable User Logins 62
▼ How to Monitor Failed Login Attempts 63
▼ How to Monitor All Failed Login Attempts 64
▼ How to Create a Dial-Up Password 65
▼ How to Temporarily Disable Dial-Up Logins 67
Changing the Password Algorithm (Task Map) 67
Changing the Default Algorithm for Password Encryption 68
▼ How to Specify an Algorithm for Password Encryption 68
▼ How to Specify a New Password Algorithm for an NIS Domain 69
▼ How to Specify a New Password Algorithm for an NIS+ Domain 70
▼ How to Specify a New Password Algorithm for an LDAP Domain 70
▼ How to Install a Password Encryption Module From a Third Party 71
4 System Administration Guide: Security Services • December 2005

Monitoring and Restricting Superuser (Task Map) 72
Monitoring and Restricting Superuser 72
▼ How to Monitor Who Is Using the su Command 72
▼ How to Restrict and Monitor Superuser Logins 73
SPARC: Controlling Access to System Hardware (Task Map) 74
Controlling Access to System Hardware 75
▼ How to Require a Password for Hardware Access 75
▼ How to Disable a System’s Abort Sequence 76
4 Controlling Access to Devices (Tasks) 77
Configuring Devices (Task Map) 77
Configuring Device Policy (Task Map) 78
Configuring Device Policy 78
▼ How to View Device Policy 78
▼ How to Change the Device Policy on an Existing Device 79
▼ How to Audit Changes in Device Policy 80
▼ How to Retrieve IP MIB-II Information From a /dev/* Device 81
Managing Device Allocation (Task Map) 81
Managing Device Allocation 82
▼ How to Make a Device Allocatable 82
▼ How to Authorize Users to Allocate a Device 83
▼ How to View Allocation Information About a Device 84
▼ Forcibly Allocating a Device 84
▼ Forcibly Deallocating a Device 85
▼ How to Change Which Devices Can Be Allocated 85
▼ How to Audit Device Allocation 86
Allocating Devices (Task Map) 87
Allocating Devices 87
▼ How to Allocate a Device 87
▼ How to Mount an Allocated Device 88
▼ How to Deallocate a Device 90
Device Protection (Reference) 91
Device Policy Commands 91
Device Allocation 92
5 Using the Basic Audit Reporting Tool (Tasks) 99
Basic Audit Reporting Tool (Overview) 99
5

BART Features 100
BART Components 100
Using BART (Task Map) 102
Using BART (Tasks) 103
BART Security Considerations 103
▼ How to Create a Manifest 104
▼ How to Customize a Manifest 106
▼ How to Compare Manifests for the Same System Over Time 109
▼ How to Compare Manifests From a Different System With the Manifest of a
Control System 112
▼ How to Customize a BART Report by Specifying File Attributes 114
▼ How to Customize a BART Report by Using a Rules File 115
BART Manifest, Rules File, and Reporting (Reference) 116
BART Manifest File Format 117
BART Rules File Format 118
BART Reporting 119
6 Controlling Access to Files (Tasks) 121
Using UNIX Permissions to Protect Files 121
Commands for Viewing and Securing Files 121
File and Directory Ownership 122
UNIX File Permissions 123
Special File Permissions (setuid, setgid and Sticky Bit) 123
Default umask Value 125
File Permission Modes 126
Using Access Control Lists to Protect Files 128
ACL Entries for Files 129
ACL Entries for Directories 129
Commands for Administering ACLs 130
Preventing Executable Files From Compromising Security 130
Protecting Files (Task Map) 131
Protecting Files With UNIX Permissions (Task Map) 132
▼ How to Display File Information 132
▼ How to Change the Owner of a File 133
▼ How to Change Group Ownership of a File 134
▼ How to Change File Permissions in Symbolic Mode 135
▼ How to Change File Permissions in Absolute Mode 135
▼ How to Change Special File Permissions in Absolute Mode 137

Protecting Files With ACLs (Task Map) 138
▼ How to Check if a File Has an ACL 138
▼ How to Add ACL Entries to a File 139
▼ How to Copy an ACL 140
▼ How to Change ACL Entries on a File 141
▼ How to Delete ACL Entries From a File 141
▼ How to Display ACL Entries for a File 142
Protecting Against Programs With Security Risk (Task Map) 143
▼ How to Find Files With Special File Permissions 144
▼ How to Disable Programs From Using Executable Stacks 145
7 Using the Automated Security Enhancement Tool (Tasks) 147
Automated Security Enhancement Tool (ASET) 147
ASET Security Levels 148
ASET Task List 149
ASET Execution Log 152
ASET Reports 152
ASET Master Files 155
ASET Environment File (asetenv) 156
Configuring ASET 156
Restoring System Files Modified by ASET 159
Network Operation With the NFS System 159
ASET Environment Variables 160
ASET File Examples 163
Running ASET (Task Map) 165
▼ How to Run ASET Interactively 165
▼ How to Run ASET Periodically 166
▼ How to Stop Running ASET Periodically 167
▼ How to Collect ASET Reports on a Server 168
Troubleshooting ASET Problems 169
ASET Error Messages 169
Part III Roles, Rights Profiles, and Privileges 173
8 Using Roles and Privileges (Overview) 175
Role-Based Access Control (Overview) 175
RBAC: An Alternative to the Superuser Model 175
7

Solaris RBAC Elements and Basic Concepts 177
RBAC Authorizations 180
Authorizations and Privileges 180
Privileged Applications and RBAC 180
RBAC Rights Profiles 182
RBAC Roles 182
Profile Shell in RBAC 183
Name Service Scope and RBAC 183
Security Considerations When Directly Assigning Security Attributes 183
Privileges (Overview) 184
Privileges Protect Kernel Processes 184
Privilege Descriptions 185
Administrative Differences on a System With Privileges 186
How Privileges Are Implemented 187
How Processes Get Privileges 189
Assigning Privileges 189
Privileges and Devices 191
Privileges and Debugging 191
9 Using Role-Based Access Control (Tasks) 193
Using RBAC (Task Map) 193
Configuring RBAC (Task Map) 194
Configuring RBAC 195
▼ How to Plan Your RBAC Implementation 195
▼ How to Create and Assign a Role By Using the GUI 197
▼ How to Create a Role From the Command Line 200
▼ How to Assign a Role to a Local User 202
▼ How to Audit Roles 204
▼ How to Make root User Into a Role 204
Using Roles (Task Map) 206
Using Roles 207
▼ How to Assume a Role in a Terminal Window 207
▼ How to Assume a Role in the Solaris Management Console 209
Managing RBAC (Task Map) 210
Managing RBAC 211
▼ How to Change the Properties of a Role 211
▼ How to Create or Change a Rights Profile 213
▼ How to Change the RBAC Properties of a User 216

▼ How to Add RBAC Properties to Legacy Applications 218
10 Role-Based Access Control (Reference) 221
Contents of Rights Profiles 221
Primary Administrator Rights Profile 222
System Administrator Rights Profile 222
Operator Rights Profile 223
Printer Management Rights Profile 223
Basic Solaris User Rights Profile 224
All Rights Profile 225
Order of Rights Profiles 225
Viewing the Contents of Rights Profiles 225
Authorization Naming and Delegation 226
Authorization Naming Conventions 226
Example of Authorization Granularity 226
Delegation Authority in Authorizations 226
Databases That Support RBAC 227
RBAC Database Relationships 227
RBAC Databases and the Name Service 228
user_attr Database 229
auth_attr Database 229
prof_attr Database 231
exec_attr Database 232
policy.conf File 233
RBAC Commands 234
Commands That Manage RBAC 234
Commands That Require Authorizations 235
11 Privileges (Tasks) 237
Managing and Using Privileges (Task Map) 237
Managing Privileges (Task Map) 238
Managing Privileges 238
▼ How to Determine the Privileges on a Process 239
▼ How to Determine Which Privileges a Program Requires 240
▼ How to Add Privileges to a Command 242
▼ How to Assign Privileges to a User or Role 242
▼ How to Limit a User’s or Role’s Privileges 243
9

▼ How to Run a Shell Script With Privileged Commands 245
Determining Your Privileges (Task Map) 246
Determining Your Assigned Privileges 246
▼ How to Determine the Privileges That You Have Been Directly Assigned 246
▼ How to Determine the Privileged Commands That You Can Run 248
▼ How to Determine the Privileged Commands That a Role Can Run 249
12 Privileges (Reference) 253
Administrative Commands for Handling Privileges 253
Files With Privilege Information 254
Privileges and Auditing 255
Prevention of Privilege Escalation 256
Legacy Applications and the Privilege Model 257
Part IV Solaris Cryptographic Services 259
13 Solaris Cryptographic Framework (Overview) 261
What’s New in the Solaris Cryptographic Framework? 261
Solaris Cryptographic Framework 262
Terminology in the Solaris Cryptographic Framework 263
Scope of the Solaris Cryptographic Framework 264
Administrative Commands in the Solaris Cryptographic Framework 265
User-Level Commands in the Solaris Cryptographic Framework 265
Binary Signatures for Third-Party Software 266
Plugins to the Solaris Cryptographic Framework 266
Cryptographic Services and Zones 267
14 Solaris Cryptographic Framework (Tasks) 269
Using the Cryptographic Framework (Task Map) 269
Protecting Files With the Solaris Cryptographic Framework (Task Map) 270
Protecting Files With the Solaris Cryptographic Framework 270
▼ How to Generate a Symmetric Key 270
▼ How to Compute a Digest of a File 272
▼ How to Compute a MAC of a File 273
▼ How to Encrypt and Decrypt a File 275
Administering the Cryptographic Framework (Task Map) 277
Administering the Cryptographic Framework 278

▼ How to List Available Providers 278
▼ How to Add a Software Provider 280
▼ How to Prevent the Use of a User-Level Mechanism 282
▼ How to Prevent the Use of a Kernel Software Provider 283
▼ How to List Hardware Providers 286
▼ How to Disable Hardware Provider Mechanisms and Features 286
▼ How to Refresh or Restart All Cryptographic Services 288
Part V Authentication Services and Secure Communication 289
15 Using Authentication Services (Tasks) 291
Overview of Secure RPC 291
NFS Services and Secure RPC 291
DES Encryption With Secure NFS 292
Kerberos Authentication 292
Diffie-Hellman Authentication 292
Administering Secure RPC (Task Map) 296
Administering Authentication With Secure RPC 296
▼ How to Restart the Secure RPC Keyserver 297
▼ How to Set Up a Diffie-Hellman Key for an NIS+ Host 297
▼ How to Set Up a Diffie-Hellman Key for an NIS+ User 298
▼ How to Set Up a Diffie-Hellman Key for an NIS Host 299
▼ How to Set Up a Diffie-Hellman Key for an NIS User 300
▼ How to Share NFS Files With Diffie-Hellman Authentication 301
16 Using PAM 303
PAM (Overview) 303
Benefits of Using PAM 303
PAM Components 304
Changes to PAM for the Solaris 10 Release 305
PAM (Tasks) 306
PAM (Task Map) 306
Planning for Your PAM Implementation 307
▼ How to Add a PAM Module 308
▼ How to Prevent Rhost-Style Access From Remote Systems With PAM 308
▼ How to Log PAM Error Reports 309
PAM Configuration File (Reference) 309
11

PAM Configuration File Syntax 309
Service Names for PAM 310
PAM Module Types 310
PAM Control Flags 310
PAM Modules 312
Examples From the Generic pam.conf File 312
17 Using SASL 315
SASL (Overview) 315
SASL (Reference) 316
SASL Plug-ins 316
SASL Environment Variable 317
SASL Options 317
18 Using Solaris Secure Shell (Tasks) 319
Solaris Secure Shell (Overview) 319
Solaris Secure Shell Authentication 320
Solaris Secure Shell in the Enterprise 322
Solaris Secure Shell Enhancements in the Solaris 10 Release 322
Solaris Secure Shell (Task Map) 323
Configuring Solaris Secure Shell (Task Map) 324
Configuring Solaris Secure Shell 324
▼ How to Set Up Host-Based Authentication for Solaris Secure Shell 324
▼ How to Enable Solaris Secure Shell v1 326
▼ How to Configure Port Forwarding in Solaris Secure Shell 327
Using Solaris Secure Shell (Task Map) 328
Using Solaris Secure Shell 329
▼ How to Generate a Public/Private Key Pair for Use With Solaris Secure
Shell 329
▼ How to Change the Passphrase for a Solaris Secure Shell Private Key 331
▼ How to Log In to a Remote Host With Solaris Secure Shell 332
▼ How to Reduce Password Prompts in Solaris Secure Shell 333
▼ How to Set Up the ssh-agent Command to Run Automatically 334
▼ How to Use Port Forwarding in Solaris Secure Shell 335
▼ How to Copy Files With Solaris Secure Shell 336
▼ How to Set Up Default Connections to Hosts Outside a Firewall 337

19 Solaris Secure Shell (Reference) 341
A Typical Solaris Secure Shell Session 341
Session Characteristics in Solaris Secure Shell 342
Authentication and Key Exchange in Solaris Secure Shell 342
Command Execution and Data Forwarding in Solaris Secure Shell 343
Client and Server Configuration in Solaris Secure Shell 344
Client Configuration in Solaris Secure Shell 344
Server Configuration in Solaris Secure Shell 344
Keywords in Solaris Secure Shell 345
Host-Specific Parameters in Solaris Secure Shell 348
Solaris Secure Shell and Login Environment Variables 349
Maintaining Known Hosts in Solaris Secure Shell 350
Solaris Secure Shell Packages and Initialization 350
Solaris Secure Shell Files 351
Solaris Secure Shell Commands 353
Part VI Kerberos Service 357
20 Introduction to the Kerberos Service 359
What Is the Kerberos Service? 359
How the Kerberos Service Works 360
Initial Authentication: the Ticket-Granting Ticket 361
Subsequent Kerberos Authentications 363
The Kerberos Remote Applications 364
Kerberos Principals 364
Kerberos Realms 365
Kerberos Security Services 367
The Components of Various Kerberos Releases 368
Kerberos Components 368
Kerberos Enhancements in the Solaris 10 Release 369
Kerberos Components in the Solaris 9 Release 372
SEAM 1.0.2 Components 372
Kerberos Components in the Solaris 8 Release 372
SEAM 1.0.1 Components 372
SEAM 1.0 Components 373
13

21 Planning for the Kerberos Service 375
Why Plan for Kerberos Deployments? 375
Kerberos Realms 376
Realm Names 376
Number of Realms 376
Realm Hierarchy 377
Mapping Host Names Onto Realms 377
Client and Service Principal Names 377
Ports for the KDC and Admin Services 378
The Number of Slave KDCs 378
Mapping GSS Credentials to UNIX Credentials 379
Automatic User Migration to a Kerberos Realm 380
Which Database Propagation System to Use 380
Clock Synchronization Within a Realm 381
Client Installation Options 381
Kerberos Encryption Types 381
Online Help URL in the SEAM Administration Tool 382
22 Configuring the Kerberos Service (Tasks) 383
Configuring the Kerberos Service (Task Map) 383
Configuring Additional Kerberos Services (Task Map) 384
Configuring KDC Servers 385
▼ How to Configure a Master KDC 385
▼ How to Configure a Slave KDC 390
Configuring Cross-Realm Authentication 394
▼ How to Establish Hierarchical Cross-Realm Authentication 394
▼ How to Establish Direct Cross-Realm Authentication 395
Configuring Kerberos Network Application Servers 397
▼ How to Configure a Kerberos Network Application Server 397
Configuring Kerberos NFS Servers 398
▼ How to Configure Kerberos NFS Servers 399
▼ How to Create a Credential Table 401
▼ How to Add a Single Entry to the Credential Table 401
▼ How to Provide Credential Mapping Between Realms 402
▼ How to Set Up a Secure NFS Environment With Multiple Kerberos Security
Modes 402
Configuring Kerberos Clients 404
Configuring Kerberos Clients (Task Map) 405

▼ How to Create a Kerberos Client Installation Profile 405
▼ How to Automatically Configure a Kerberos Client 406
▼ How to Interactively Configure a Kerberos Client 407
▼ How to Manually Configure a Kerberos Client 408
▼ How to Access a Kerberos Protected NFS File System as the root User 412
▼ Configuring Automatic Migration of Users in a Kerberos Realm 414
Synchronizing Clocks Between KDCs and Kerberos Clients 416
Swapping a Master KDC and a Slave KDC 417
▼ How to Configure a Swappable Slave KDC 418
▼ How to Swap a Master KDC and a Slave KDC 418
Administering the Kerberos Database 422
Backing Up and Propagating the Kerberos Database 422
▼ How to Back Up the Kerberos Database 424
▼ How to Restore the Kerberos Database 425
▼ How to Reload a Kerberos Database 426
▼ How to Reconfigure a Master KDC to Use Incremental Propagation 426
▼ How to Reconfigure a Slave KDC to Use Incremental Propagation 428
▼ How to Configure a Slave KDC to Use Full Propagation 429
▼ How to Verify That the KDC Servers Are Synchronized 433
▼ How to Manually Propagate the Kerberos Database to the Slave KDCs 434
Setting Up Parallel Propagation 434
Configuration Steps for Setting Up Parallel Propagation 435
Administering the Stash File 436
▼ How to Remove a Stash File 437
Increasing Security on Kerberos Servers 437
▼ How to Enable Only Kerberized Applications 437
▼ How to Restrict Access to KDC Servers 438
23 Kerberos Error Messages and Troubleshooting 439
Kerberos Error Messages 439
SEAM Administration Tool Error Messages 439
Common Kerberos Error Messages (A-M) 440
Common Kerberos Error Messages (N-Z) 447
Kerberos Troubleshooting 451
Problems With the Format of the krb5.conf File 451
Problems Propagating the Kerberos Database 451
Problems Mounting a Kerberized NFS File System 452
Problems Authenticating as root 452
15

Observing Mapping from GSS Credentials to UNIX Credentials 453
24 Administering Kerberos Principals and Policies (Tasks) 455
Ways to Administer Kerberos Principals and Policies 455
SEAM Administration Tool 456
Command-Line Equivalents of the SEAM Tool 457
The Only File Modified by the SEAM Tool 457
Print and Online Help Features of the SEAM Tool 457
Working With Large Lists in the SEAM Tool 458
▼ How to Start the SEAM Tool 459
Administering Kerberos Principals 460
Administering Kerberos Principals (Task Map) 461
Automating the Creation of New Kerberos Principals 461
▼ How to View the List of Kerberos Principals 462
▼ How to View a Kerberos Principal’s Attributes 464
▼ How to Create a New Kerberos Principal 466
▼ How to Duplicate a Kerberos Principal 468
▼ How to Modify a Kerberos Principal 468
▼ How to Delete a Kerberos Principal 470
▼ How to Set Up Defaults for Creating New Kerberos Principals 470
▼ How to Modify the Kerberos Administration Privileges 471
Administering Kerberos Policies 473
Administering Kerberos Policies (Task Map) 473
▼ How to View the List of Kerberos Policies 473
▼ How to View a Kerberos Policy’s Attributes 475
▼ How to Create a New Kerberos Policy 477
▼ How to Duplicate a Kerberos Policy 479
▼ How to Modify a Kerberos Policy 479
▼ How to Delete a Kerberos Policy 480
SEAM Tool Reference 481
SEAM Tool Panel Descriptions 481
Using the SEAM Tool With Limited Kerberos Administration Privileges 484
Administering Keytab Files 485
Administering Keytab Files (Task Map) 486
▼ How to Add a Kerberos Service Principal to a Keytab File 487
▼ How to Remove a Service Principal From a Keytab File 489
▼ How to Display the Keylist (Principals) in a Keytab File 490
▼ How to Temporarily Disable Authentication for a Service on a Host 491

25 Using Kerberos Applications (Tasks) 493
Kerberos Ticket Management 493
Do You Need to Worry About Tickets? 493
Creating a Kerberos Ticket 494
Viewing Kerberos Tickets 495
Destroying Kerberos Tickets 496
Kerberos Password Management 497
Advice on Choosing a Password 497
Changing Your Password 497
Granting Access to Your Account 500
Kerberos User Commands 501
Overview of Kerberized Commands 502
Forwarding Kerberos Tickets 504
Examples — Using Kerberized Commands 506
26 The Kerberos Service (Reference) 509
Kerberos Files 509
Kerberos Commands 511
Kerberos Daemons 511
Kerberos Terminology 512
Kerberos-Specific Terminology 512
Authentication-Specific Terminology 513
Types of Tickets 514
How the Kerberos Authentication System Works 518
Gaining Access to a Service Using Kerberos 518
Obtaining a Credential for the Ticket-Granting Service 518
Obtaining a Credential for a Server 519
Obtaining Access to a Specific Service 520
Using Kerberos Encryption Types 521
Using the gsscred Table 523
Notable Differences Between Solaris Kerberos and MIT Kerberos 524
Part VII Solaris Auditing 525
27 Solaris Auditing (Overview) 527
What Is Auditing? 527
How Does Auditing Work? 528
17

How Is Auditing Related to Security? 529
Audit Terminology and Concepts 530
Audit Events 531
Audit Classes and Preselection 532
Audit Records and Audit Tokens 533
Audit Files 533
Audit Storage 535
Examining the Audit Trail 535
Solaris Auditing Enhancements in the Solaris 10 Release 535
28 Planning for Solaris Auditing 537
Planning Solaris Auditing (Task Map) 537
Planning Solaris Auditing (Tasks) 538
▼ How to Plan Auditing in Zones 538
▼ How to Plan Storage for Audit Records 539
▼ How to Plan Who and What to Audit 540
Determining Audit Policy 541
Controlling Auditing Costs 544
Cost of Increased Processing Time of Audit Data 544
Cost of Analysis of Audit Data 544
Cost of Storage of Audit Data 545
Auditing Efficiently 545
29 Managing Solaris Auditing (Tasks) 547
Solaris Auditing (Task Map) 547
Configuring Audit Files (Task Map) 548
Configuring Audit Files 548
▼ How to Modify the audit_control File 549
▼ How to Configure syslog Audit Logs 551
▼ How to Change a User’s Audit Characteristics 553
▼ How to Add an Audit Class 554
▼ How to Change an Audit Event’s Class Membership 555
Configuring and Enabling the Auditing Service (Task Map) 557
Configuring and Enabling the Auditing Service 558
▼ How to Create Partitions for Audit Files 558
▼ How to Configure the audit_warn Email Alias 560
▼ How to Configure Audit Policy 561

▼ How to Enable Auditing 564
▼ How to Disable Auditing 565
▼ How to Update the Auditing Service 566
Managing Audit Records (Task Map) 568
Managing Audit Records 568
▼ How to Display Audit Record Formats 568
▼ How to Merge Audit Files From the Audit Trail 570
▼ How to Select Audit Events From the Audit Trail 572
▼ How to View the Contents of Binary Audit Files 574
▼ How to Clean Up a not_terminated Audit File 575
▼ How to Prevent Audit Trail Overflow 576
30 Solaris Auditing (Reference) 579
Audit Commands 579
auditd Daemon 580
audit Command 580
bsmrecord Command 581
auditreduce Command 581
praudit Command 583
auditconfig Command 584
Files Used in the Auditing Service 584
system File 585
syslog.conf File 585
audit_class File 585
audit_control File 585
audit_event File 587
audit_startup Script 587
audit_user Database 587
audit_warn Script 588
bsmconv Script 589
Rights Profiles for Administering Auditing 590
Auditing and Solaris Zones 590
Audit Classes 591
Definitions of Audit Classes 591
Audit Class Syntax 593
Audit Policy 594
Process Audit Characteristics 594
Audit Trail 595
19

Conventions for Binary Audit File Names 595
Binary Audit File Names 595
Binary Audit File Timestamps 596
Audit Record Structure 596
Audit Record Analysis 597
Audit Token Formats 598
acl Token 599
arbitrary Token (Obsolete) 599
arg Token 600
attribute Token 601
cmd Token 601
exec_args Token 602
exec_env Token 602
exit Token (Obsolete) 602
file Token 603
group Token (Obsolete) 603
groups Token 603
header Token 604
in_addr Token 604
ip Token (Obsolete) 605
ipc Token 605
ipc_perm Token 606
iport Token 606
opaque Token (Obsolete) 606
path Token 607
path_attr Token 607
privilege Token 608
process Token 608
return Token 609
sequence Token 610
socket Token 610
subject Token 611
text Token 613
trailer Token 613
uauth Token 613
zonename Token 614

Preface
System Administration Guide: Security Services is part of a multivolume set that covers a
significant part of the Solaris™ Operating System administration information. This
book assumes that you have already installed the SunOS™ 5.10 operating system, and
you have set up any networking software that you plan to use. The SunOS 5.10
operating system is part of the Solaris 10 product family, which includes many
features, such as the Solaris Common Desktop Environment (CDE).
Note – This Solaris release supports systems that use the SPARC®
and x86 families of
processor architectures: UltraSPARC®
, SPARC64, AMD64, Pentium, and Xeon EM64T.
The supported systems appear in the Solaris 10 Hardware Compatibility List at
http://www.sun.com/bigadmin/hcl. This document cites any implementation
differences between the platform types.
In this document these x86 related terms mean the following:
■ “x86” refers to the larger family of 64-bit and 32-bit x86 compatible products.
■ “x64” points out specific 64-bit information about AMD64 or EM64T systems.
■ “32-bit x86” points out specific 32-bit information about x86 based systems.
For supported systems, see the Solaris 10 Hardware Compatibility List.
Who Should Use This Book
This book is intended for anyone who is responsible for administering one or more
systems that run the Solaris 10 release. To use this book, you should have more than
two years of UNIX®
system administration experience. Attending training courses in
UNIX system administration might be helpful.
23

How the System Administration
Volumes Are Organized
Here is a list of the topics that are covered by the volumes of the System
Administration Guides.
Book Title Topics
System Administration Guide: Basic Administration User accounts and groups, server and client support,
shutting down and booting a system, managing
services, and managing software (packages and
patches)
System Administration Guide: Advanced Administration Printing services, terminals and modems, system
resources (disk quotas, accounting, and crontabs),
system processes, and troubleshooting Solaris software
problems
System Administration Guide: Devices and File Systems Removable media, disks and devices, file systems, and
backing up and restoring data
System Administration Guide: IP Services TCP/IP network administration, IPv4 and IPv6 address
administration, DHCP, IPsec, IKE, Solaris IP filter,
Mobile IP, IP network multipathing (IPMP), and IPQoS
System Administration Guide: Naming and Directory
Services (DNS, NIS, and LDAP)
DNS, NIS, and LDAP naming and directory services,
including transitioning from NIS to LDAP and
transitioning from NIS+ to LDAP
System Administration Guide: Naming and Directory
Services (NIS+)
NIS+ naming and directory services
System Administration Guide: Network Services Web cache servers, time-related services, network file
systems (NFS and Autofs), mail, SLP, and PPP
System Administration Guide: Security Services Auditing, device management, file security, BART,
Kerberos services, PAM, Solaris Cryptographic
Framework, privileges, RBAC, SASL, and Solaris Secure
Shell
System Administration Guide: Solaris Containers-Resource
Management and Solaris Zones
Resource management topics projects and tasks,
extended accounting, resource controls, fair share
scheduler (FSS), physical memory control using the
resource capping daemon (rcapd), and dynamic
resource pools; virtualization using Solaris Zones
software partitioning technology

Related Third-Party Web Site References
Third party URLs are referenced in this document and provide additional, related
information.
Sun is not responsible for the availability of third-party web sites mentioned in this
document. Sun does not endorse and is not responsible or liable for any content,
advertising, products, or other materials that are available on or through such sites or
resources. Sun will not be responsible or liable for any actual or alleged damage or
loss caused by or in connection with the use of or reliance on any such content, goods,
or services that are available on or through such sites or resources.
Documentation, Support, and Training
The Sun web site provides information about the following additional resources:
■ Documentation (http://www.sun.com/documentation/)
■ Support (http://www.sun.com/support/)
■ Training (http://www.sun.com/training/)
Typographic Conventions
The following table describes the typographic conventions that are used in this book.
TABLE P–1 Typographic Conventions
Typeface Meaning Example
AaBbCc123 The names of commands, files, and
directories, and onscreen computer
output
Edit your .login file.
Use ls -a to list all files.
machine_name% you have
mail.
AaBbCc123 What you type, contrasted with onscreen
computer output
machine_name% su
Password:
25

TABLE P–1 Typographic Conventions (Continued)
Typeface Meaning Example
aabbcc123 Placeholder: replace with a real name or
value
The command to remove a file
is rm filename.
AaBbCc123 Book titles, new terms, and terms to be
emphasized
Read Chapter 6 in the User’s
Guide.
A cache is a copy that is stored
locally.
Do not save the file.
Note: Some emphasized items
appear bold online.
Shell Prompts in Command Examples
The following table shows the default UNIX®
system prompt and superuser prompt
for the C shell, Bourne shell, and Korn shell.
TABLE P–2 Shell Prompts
Shell Prompt
C shell machine_name%
C shell for superuser machine_name#
Bourne shell and Korn shell $
Bourne shell and Korn shell for superuser #

PART I Security Overview
This book focuses on the features that enhance security in the Solaris Operating
System. This book is intended for system administrators and users of these security
features. The overview chapter introduces the topics in the book.
27

CHAPTER 1
Security Services (Overview)
To maintain the security of the Solaris Operating System (Solaris OS), Solaris software
provides the following features:
■ “System Security” on page 29 – The ability to prevent intrusion, to protect
machine resources and devices from misuse, and to protect files from malicious
modification or unintentional modification by users or intruders
For a general discussion of system security, see Chapter 2.
■ “Solaris Cryptographic Services” on page 30 – The ability to scramble data so that
only the sender and the designated receiver can read the contents, and to manage
cryptographic providers
■ “Authentication Services” on page 31 – The ability to securely identify a user,
which requires the user’s name and some form of proof, typically a password
■ “Authentication With Encryption” on page 32 – The ability to ensure that
authenticated parties can communicate without interception, modification, or
spoofing
■ “Solaris Auditing” on page 32 – The ability to identify the source of security
changes to the system, including file access, security-related system calls, and
authentication failures
■ “Security Policy” on page 33 – The design and implementation of security
guidelines for a computer or network of computers
System Security
System security ensures that the system’s resources are used properly. Access controls
can restrict who is permitted access to resources on the system. The Solaris OS features
for system security and access control include the following:
■ Login administration tools – Commands for monitoring and controlling a user’s
ability to log in. See “Securing Logins and Passwords (Task Map)” on page 60.
29

■ Hardware access – Commands for limiting access to the PROM, and for restricting
who can boot the system. See “SPARC: Controlling Access to System Hardware
(Task Map)” on page 74.
■ Resource access – Tools and strategies for maximizing the appropriate use of
machine resources while minimizing the misuse of those resources. See
“Controlling Access to Machine Resources” on page 46.
■ Role-based access control (RBAC) – An architecture for creating special, restricted
user accounts that are permitted to perform specific administrative tasks. See
“Role-Based Access Control (Overview)” on page 175.
■ Privileges – Discrete rights on processes to perform operations. These process
rights are enforced in the kernel. See “Privileges (Overview)” on page 184.
■ Device management – Device policy additionally protects devices that are already
protected by UNIX permissions. Device allocation controls access to peripheral
devices, such as a microphone or CD-ROM drive. Upon deallocation, device-clean
scripts can then erase any data from the device. See “Controlling Access to
Devices” on page 44.
■ Basic Audit Reporting Tool (BART) – A snapshot, called a manifest, of the file
attributes of files on a system. By comparing the manifests across systems or on
one system over time, changes to files can be monitored to reduce security risks.
See Chapter 5.
■ File permissions – Attributes of a file or directory. Permissions restrict the users
and groups that are permitted to read, write, or execute a file, or search a directory.
See Chapter 6.
■ Security enhancement scripts – Through the use of scripts, many system files and
parameters can be adjusted to reduce security risks. See Chapter 7.
Solaris Cryptographic Services
Cryptography is the science of encrypting and decrypting data. Cryptography is used
to insure integrity, privacy, and authenticity. Integrity means that the data has not been
altered. Privacy means that the data is not readable by others. Authenticity for data
means that what was delivered is what was sent. User authentication means that the
user has supplied one or more proofs of identity. Authentication mechanisms
mathematically verify the source of the data or the proof of identity. Encryption
mechanisms scramble data so that the data is not readable by a casual observer.
Cryptographic services provide authentication and encryption mechanisms to
applications and users.
Cryptographic algorithms use hashing, chaining, and other mathematical techniques
to create ciphers that are difficult to break. Authentication mechanisms require that the
sender and the receiver compute an identical number from the data. Encryption

mechanisms rely on the sender and the receiver sharing information about the method
of encryption. This information enables only the receiver and the sender to decrypt the
message. The Solaris OS provides a centralized cryptographic framework, and
provides encryption mechanisms that are tied to particular applications.
■ Solaris™ Cryptographic Framework – A central framework of cryptographic
services for kernel-level and user-level consumers. Uses include passwords, IPsec,
and third-party applications. The cryptographic framework includes a number of
software encryption modules. The framework enables you to specify which
software encryption modules or hardware encryption sources an application can
use. The framework is built on the PKCS #11 v2 library. This library is
implemented according to the following standard: RSA Security Inc. PKCS #11
Cryptographic Token Interface (Cryptoki). The library provides an API for
third-party developers to plug in the cryptographic requirements for their
applications. See Chapter 13.
■ Encryption mechanisms per application –
■ For the use of DES in Secure RPC, see “Overview of Secure RPC” on page 291.
■ For the use of DES, 3DES, AES, and ARCFOUR in the Kerberos service, see
Chapter 20.
■ For the use of RSA, DSA, and ciphers such as Blowfish in Solaris Secure Shell,
see Chapter 18.
■ For the use of cryptographic algorithms in passwords, see “Changing the
Password Algorithm (Task Map)” on page 67.
Authentication Services
Authentication is a mechanism that identifies a user or service based on predefined
criteria. Authentication services range from simple name-password pairs to more
elaborate challenge-response systems, such as smart cards and biometrics. Strong
authentication mechanisms rely on a user supplying information that only that person
knows, and a personal item that can be verified. A user name is an example of
information that the person knows. A smart card or a fingerprint, for example, can be
verified. The Solaris features for authentication include the following:
■ Secure RPC – An authentication mechanism that uses the Diffie-Hellman protocol
to protect NFS mounts and a name service, such as NIS or NIS+. See “Overview of
Secure RPC” on page 291.
■ Pluggable Authentication Module (PAM) – A framework that enables various
authentication technologies to be plugged into a system entry service without
recompiling the service. Some of the system entry services include login and ftp.
See Chapter 16.
■ Simple Authentication and Security Layer (SASL) – A framework that provides
authentication and security services to network protocols. See Chapter 17.
Chapter 1 • Security Services (Overview) 31

■ Solaris Secure Shell – A secure remote login and transfer protocol that encrypts
communications over an insecure network. See Chapter 18.
■ Kerberos service – A client-server architecture that provides encryption with
authentication. See Chapter 20.
■ Solaris smart card – A plastic card with a microprocessor and memory that can be
used with a card reader to access systems. See Solaris Smartcard Administration
Guide.
Authentication With Encryption
Authentication with encryption is the basis of secure communication. Authentication
helps ensure that the source and the destination are the intended parties. Encryption
codes the communication at the source, and decodes the communication at the
destination. Encryption prevents intruders from reading any transmissions that the
intruders might manage to intercept. The Solaris features for secure communication
include the following:
■ Solaris Secure Shell – A protocol for protecting data transfers and interactive user
network sessions from eavesdropping, session hijacking, and “man-in-the-middle”
attacks. Strong authentication is provided through public key cryptography. X
windows services and other network services can be tunneled safely over Secure
Shell connections for additional protection. See Chapter 18.
■ Kerberos service – A client-server architecture that provides authentication with
encryption. See Chapter 20.
■ Internet Protocol Security Architecture (IPsec) – An architecture that provides IP
datagram protection. Protections include confidentiality, strong integrity of the
data, data authentication, and partial sequence integrity. See Chapter 19, “IP
Security Architecture (Overview),” in System Administration Guide: IP Services.
Solaris Auditing
Auditing is a fundamental concept of system security and maintainability. Auditing is
the process of examining the history of actions and events on a system to determine
what happened. The history is kept in a log of what was done, when it was done, by
whom, and what was affected. See Chapter 27.

Security Policy
The phrase security policy, or policy, is used throughout this book to refer to an
organization’s security guidelines. Your site’s security policy is the set of rules that
define the sensitivity of the information that is being processed and the measures that
are used to protect the information from unauthorized access. Security technologies
such as Solaris Secure Shell, authentication, RBAC, authorization, privileges, and
resource control provide measures to protect information.
Some security technologies also use the word policy when describing specific aspects
of their implementation. For example, Solaris auditing uses audit policy options to
configure some aspects of auditing policy. The following table points to glossary, man
page, and information on features that use the word policy to describe specific aspects
of their implementation.
TABLE 1–1 Use of Policy in the Solaris OS
Glossary Definition Selected Man Pages Further Information
audit policy audit_control(4),
audit_user(4),
auditconfig(1M)
Chapter 27
policy in the cryptographic
framework
cryptoadm(1M) Chapter 13
device policy getdevpolicy(1M) “Controlling Access to Devices”
on page 44
Kerberos policy krb5.conf(4) Chapter 24
network policies ipfilter(5),
ifconfig(1M),
ike.config(4),
ipsecconf(1M),
routeadm(1M)
Part IV, “IP Security,” in System
Administration Guide: IP Services
password policy passwd(1),
nsswitch.conf(4),
crypt.conf(4),
policy.conf(4)
“Maintaining Login Control”
on page 39
RBAC policy rbac(5) “exec_attr Database”
on page 232
Chapter 1 • Security Services (Overview) 33

PART II System, File, and Device Security
This section covers security that can be configured on a non-networked system. The
chapters discuss planning, monitoring, and controlling access to the disk, to files, and
to peripheral devices.
35

CHAPTER 2
Managing Machine Security
(Overview)
Keeping a machine’s information secure is an important system administration
responsibility. This chapter provides overview information about managing machine
security.
The following is a list of the overview information in this chapter.
■ “Enhancements to Machine Security in the Solaris 10 Release” on page 37
■ “Controlling Access to a Computer System” on page 38
■ “Controlling Access to Devices” on page 44
■ “Controlling Access to Machine Resources” on page 46
■ “Controlling Access to Files” on page 51
■ “Controlling Network Access” on page 52
■ “Reporting Security Problems” on page 57
Enhancements to Machine Security in
the Solaris 10 Release
Since the Solaris 9 release, the following features have been introduced to enhance
system security:
■ Strong password encryption is available and configurable. For more information,
see “Password Encryption” on page 41.
■ Device policy is enforced with privileges. For more information, see “Device Policy
(Overview)” on page 45.
For device allocation, the /etc/security/dev directory might not be supported
in future releases of the Solaris OS.
■ The Basic Audit Reporting Tool (BART) can monitor the authenticity of the files on
your system. For more information, see Chapter 5.
37

■ Files can be protected with strong encryption. For more information, see
“Protecting Files With Encryption” on page 51.
■ Privileges enforce process rights at the kernel level. For more information, see
“Privileges (Overview)” on page 184.
■ The Solaris Cryptographic Framework centralizes cryptographic services for
providers and for consumers. For more information, see Chapter 13.
■ The PAM framework provides functionality for many programs, such as Solaris
Secure Shell. For more information, see “Changes to PAM for the Solaris 10
Release” on page 305.
■ Solaris zones and resource management control access to machine resources. For
more information, see System Administration Guide: Solaris Containers-Resource
Management and Solaris Zones.
Controlling Access to a Computer
System
In the workplace, all machines that are connected to a server can be thought of as one
large multifaceted system. You are responsible for the security of this larger system.
You need to defend the network from outsiders who are trying to gain access to the
network. You also need to ensure the integrity of the data on the machines within the
network.
At the file level, the Solaris OS provides standard security features that you can use to
protect files, directories, and devices. At the system and network levels, the security
issues are mostly the same. The first line of security defense is to control access to your
system. You can control and monitor system access by doing the following:
■ “Maintaining Physical Security” on page 38
■ “Maintaining Login Control” on page 39
■ “Controlling Access to Devices” on page 44
■ “Controlling Access to Machine Resources” on page 46
■ “Controlling Access to Files” on page 51
■ “Controlling Network Access” on page 52
■ “Reporting Security Problems” on page 57
Maintaining Physical Security
To control access to your system, you must maintain the physical security of your
computing environment. For instance, a system that is logged in and left unattended is
vulnerable to unauthorized access. An intruder can gain access to the operating
system and to the network. The computer’s surroundings and the computer hardware
should be physically protected from unauthorized access.

You can protect a SPARC system from unauthorized access to the hardware settings.
Use the eeprom command to require a password to access the PROM. For more
information, see “How to Require a Password for Hardware Access” on page 75.
Maintaining Login Control
You also must prevent unauthorized logins to a system or the network, which you can
do through password assignment and login control. All accounts on a system should
have a password. A password is a simple authentication mechanism. An account
without a password makes your entire network accessible to an intruder who guesses
a user name. A strong password algorithm protects against brute force attacks.
When a user logs in to a system, the login command checks the appropriate name
service or directory service database according to the information that is listed in the
/etc/nsswitch.conf file. This file can include the following entries:
■ files – Designates the /etc files on the local system
■ ldap – Designates the LDAP directory service on the LDAP server
■ nis – Designates the NIS database on the NIS master server
■ nisplus – Designates the NIS+ database on the NIS+ root server
For a description of the nsswitch.conf file, see the nsswitch.conf(4) man page.
For information about naming services and directory services, see the System
Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) or the
System Administration Guide: Naming and Directory Services (NIS+).
The login command verifies the user name and password that were supplied by the
user. If the user name is not in the password file, the login command denies access to
the system. If the password is not correct for the user name that was specified, the
login command denies access to the system. When the user supplies a valid user
name and its corresponding password, the system grants the user access to the system.
PAM modules can streamline login to applications after a successful system login. For
more information, see Chapter 16.
Sophisticated authentication and authorization mechanisms are available on Solaris
systems. For a discussion of authentication and authorization mechanisms at the
network level, see “Authentication and Authorization for Remote Access” on page
54.
Managing Password Information
When users log in to a system, they must supply both a user name and a password.
Although logins are publicly known, passwords must be kept secret. Passwords
should be known only to each user. You should ask your users to choose their
passwords carefully. Users should change their passwords often.
Chapter 2 • Managing Machine Security (Overview) 39

Passwords are initially created when you set up a user account. To maintain security
on user accounts, you can set up password aging to force users to routinely change
their passwords. You can also disable a user account by locking the password. For
detailed information about administering passwords, see Chapter 4, “Managing User
Accounts and Groups (Overview),” in System Administration Guide: Basic
Administration and the passwd(1) man page.
Local Passwords
If your network uses local files to authenticate users, the password information is kept
in the system’s /etc/passwd and /etc/shadow files. The user name and other
information are kept in the password file /etc/passwd. The encrypted password
itself is kept in a separate shadow file, /etc/shadow. This security measure prevents a
user from gaining access to the encrypted passwords. While the /etc/passwd file is
available to anyone who can log in to a system, only superuser or an equivalent role
can read the /etc/shadow file. You can use the passwd command to change a user’s
password on a local system.
NIS and NIS+ Passwords
If your network uses NIS to authenticate users, password information is kept in the
NIS password map. NIS does not support password aging. You can use the command
passwd -r nis to change a user’s password that is stored in an NIS password map.
If your network uses NIS+ to authenticate users, password information is kept in the
NIS+ database. Information in the NIS+ database can be protected by restricting access
to authorized users only. You can use the passwd -r nisplus command to change a
user’s password that is stored in an NIS+ database.
LDAP Passwords
The Solaris LDAP naming service stores password information and shadow
information in the ou=people container of the LDAP directory tree. On the Solaris
LDAP naming service client, you can use the passwd -r ldap command to change a
user’s password. The LDAP naming service stores the password in the LDAP
repository.
In the Solaris 10 release, password policy is enforced on the Sun Java™ System
Directory Server. Specifically, the client’s pam_ldap module follows the password
policy controls that are enforced on the Sun Java System Directory Server. For more
information, see “LDAP Naming Services Security Model” in System Administration
Guide: Naming and Directory Services (DNS, NIS, and LDAP).

Password Encryption
Strong password encryption provides an early barrier against attack. Solaris software
provides four password encryption algorithms. The two MD5 algorithms and the
Blowfish algorithm provide more robust password encryption than the UNIX
algorithm.
Password Algorithm Identifiers
You specify the algorithms configuration for your site in the
/etc/security/policy.conf file. In the policy.conf file, the algorithms are
named by their identifier, as shown in the following table.
TABLE 2–1 Password Encryption Algorithms
Identifier Description Algorithm Man Page
1 The MD5 algorithm that is compatible with MD5
algorithms on BSD and Linux systems.
crypt_bsdmd5(5)
2a The Blowfish algorithm that is compatible with the
Blowfish algorithm on BSD systems.
crypt_bsdbf(5)
md5 The Sun MD5 algorithm, which is considered stronger
than the BSD and Linux version of MD5.
crypt_sunmd5(5)
__unix__ The traditional UNIX encryption algorithm. This
algorithm is the default module in the policy.conf file.
crypt_unix(5)
Algorithms Configuration in the policy.conf File
The following shows the default algorithms configuration in the policy.conf file:
#
...
# crypt(3c) Algorithms Configuration
#
# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
# be used for new passwords. This is enforced only in crypt_gensalt(3c).
#
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
# To deprecate use of the traditional unix algorithm, uncomment below
# and change CRYPT_DEFAULT= to another algorithm. For example,
# CRYPT_DEFAULT=1 for BSD/Linux MD5.
#
#CRYPT_ALGORITHMS_DEPRECATE=__unix__
# The Solaris default is the traditional UNIX algorithm. This is not
# listed in crypt.conf(4) since it is internal to libc. The reserved
# name __unix__ is used to refer to it.

#
CRYPT_DEFAULT=__unix__
...
When you change the value for CRYPT_DEFAULT, the passwords of new users are
encrypted with the algorithm that is associated with the new value. When current
users change their passwords, how their old password was encrypted affects which
algorithm is used to encrypt the new password.
For example, assume that CRYPT_ALGORITHMS_ALLOW=1,2a,md5 and
CRYPT_DEFAULT=1. The following table shows which algorithm would be used to
generate the encrypted password.
Identifier = Password Algorithm
Explanation
Initial Password Changed Password
1 =
crypt_bsdmd5
Uses same
algorithm
The 1 identifier is also the value of CRYPT_DEFAULT.
The user’s password continues to be encrypted with the
crypt_bsdmd5 algorithm.
2a =
crypt_bsdbf
Uses same
algorithm
The 2a identifier is in the CRYPT_ALGORITHMS_ALLOW
list. Therefore, the new password is encrypted with the
crypt_bsbdf algorithm.
md5 =
crypt_md5
Uses same
algorithm
The md5 identifier is in the
CRYPT_ALGORITHMS_ALLOW list. Therefore, the new
password is encrypted with the crypt_md5 algorithm.
__unix__ =
crypt_unix
Uses
crypt_bsdmd5
algorithm
The __unix__ identifier is not in the
CRYPT_ALGORITHMS_ALLOW list. Therefore, the
crypt_unix algorithm cannot be used. The new
password is encrypted with the CRYPT_DEFAULT
algorithm.
For more information on configuring the algorithm choices, see the policy.conf(4)
man page. To specify password encryption algorithms, see “Changing the Password
Algorithm (Task Map)” on page 67.
Special System Logins
Two common ways to access a system are by using a conventional user login, or by
using the root login. In addition, a number of special system logins enable a user to
run administrative commands without using the root account. As system
administrator, you assign passwords to these login accounts.
The following table lists some system login accounts and their uses. The system logins
perform special functions. Each login has its own group identification number (GID).
Each login should have its own password, which should be divulged on a
need-to-know basis.

TABLE 2–2 System Login Accounts and Their Uses
Login Account GID Use
root 0 Has almost no restrictions. Overrides all other logins, protections, and
permissions. The root account has access to the entire system. The
password for the root login should be very carefully protected. The
root account, superuser, owns most of the Solaris commands.
daemon 1 Controls background processing.
bin 2 Owns some Solaris commands.
sys 3 Owns many system files.
adm 4 Owns certain administrative files.
lp 71 Owns the object data files and spooled data files for the printer.
uucp 5 Owns the object data files and spooled data files for UUCP, the
UNIX-to-UNIX copy program.
nuucp 9 Is used by remote systems to log in to the system and start file
transfers.
Remote Logins
Remote logins offer a tempting avenue for intruders. The Solaris OS provides several
commands to monitor, limit, and disable remote logins. For procedures, see “Securing
Logins and Passwords (Task Map)” on page 60.
By default, remote logins cannot gain control or read certain system devices, such as
the system mouse, keyboard, frame buffer, or audio device. For more information, see
the logindevperm(4) man page.
Dial-Up Logins
When a computer can be accessed through a modem or a dial-up port, you can add an
extra layer of security. You can require a dial-up password for users who access a system
through a modem or dial-up port. The dial-up password is an additional password
that a user must supply before being granted access to the system.
Only superuser or a role of equivalent capabilities can create or change a dial-up
password. To ensure the integrity of the system, the password should be changed
about once a month. The most effective use of this feature is to require a dial-up
password to gain access to a gateway system. To set up dial-up passwords, see “How
to Create a Dial-Up Password” on page 65.

Two files are involved in creating a dial-up password, /etc/dialups and
/etc/d_passwd. The dialups file contains a list of ports that require a dial-up
password. The d_passwd file contains a list of shell programs that require an
encrypted password as the additional dial-up password. The information in these two
files is processed as follows:
■ If the user’s login shell in /etc/passwd matches an entry in /etc/d_passwd, the
user must supply a dial-up password.
■ If the user’s login shell in /etc/passwd is not found in /etc/d_passwd, the user
must supply the default password. The default password is the entry for
/usr/bin/sh.
■ If the login shell field in /etc/passwd is empty, the user must supply the default
password. The default password is the entry for /usr/bin/sh.
■ If /etc/d_passwd has no entry for /usr/bin/sh, then those users whose login
shell field in /etc/passwd is empty or does not match any entry in
/etc/d_passwd are not prompted for a dial-up password.
■ Dial-up logins are disabled if /etc/d_passwd has the /usr/bin/sh:*: entry
only.
Controlling Access to Devices
Peripheral devices that are attached to a computer system pose a security risk.
Microphones can pick up conversations and transmit them to remote systems.
CD-ROMs can leave their information behind for reading by the next user of the
CD-ROM device. Printers can be accessed remotely. Devices that are integral to the
system can also present security issues. For example, network interfaces such as hme0
are considered integral devices.
Solaris software provides two methods of controlling access to devices. Device policy
restricts or prevents access to devices that are integral to the system. Device policy is
enforced in the kernel. Device allocation restricts or prevents access to peripheral
devices. Device allocation is enforced at user allocation time.
Device policy uses privileges to protect selected devices in the kernel. For example, the
device policy on network interfaces such as hme requires all privileges for reading or
writing.
Device allocation uses authorizations to protect peripheral devices, such as printers or
microphones. By default, device allocation is not enabled. Once enabled, device
allocation can be configured to prevent the use of a device or to require authorization
for access to the device. When a device is allocated for use, no other user can access
the device until the current user deallocates it.
A Solaris system can be configured in several areas to control access to devices:

■ Set device policy – In the Solaris 10 release, you can require that the process that is
accessing a particular device be running with a set of privileges. Processes without
those privileges cannot use the device. At boot time, Solaris software configures
device policy. Third-party drivers can be configured with device policy during
installation. After installation, you, as the system administrator can add device
policy to a device.
■ Make devices allocatable – When you enable device allocation, you can restrict the
use of a device to one user at a time. You can further require that the user fulfill
some security requirements. For example, you can require that the user be
authorized to use the device.
■ Prevent devices from being used – You can prevent the use of a device, such as a
microphone, by any user on a computer system. A computer kiosk might be a good
candidate for making certain devices unavailable for use.
■ Confine a device to a particular zone – You can assign the use of a device to a
non-global zone. For more information, see “Device Use in Non-Global Zones” in
System Administration Guide: Solaris Containers-Resource Management and Solaris
Zones. For a more general discussion of devices and zones, see “Configured
Devices in Zones” in System Administration Guide: Solaris Containers-Resource
Management and Solaris Zones.
Device Policy (Overview)
The device policy mechanism enables you to specify that processes that open a device
require certain privileges. Devices that are protected by device policy can only be
accessed by processes that are running with the privileges that the device policy
specifies. The Solaris OS provides default device policy. For example, network
interfaces such as hme0 require that the processes that access the interface be running
with the net_rawaccess privilege. The requirement is enforced in the kernel. For
more information about privileges, see “Privileges (Overview)” on page 184.
In earlier Solaris OS releases, device nodes were protected by file permissions alone.
For example, devices owned by group sys could be opened only by members of
group sys. In the Solaris 10 release, file permissions do not predict who can open a
device. Instead, devices are protected with file permissions and with device policy. For
example, the /dev/ip file has 666 permissions. However, the device can only be
opened by a process with the appropriate privileges.
The configuration of device policy can be audited. The AUE_MODDEVPLCY audit event
records changes in device policy.
For more information about device policy, see the following:
■ “Configuring Device Policy (Task Map)” on page 78
■ “Device Policy Commands” on page 91
■ “Privileges and Devices” on page 191

Device Allocation (Overview)
The device allocation mechanism enables you to restrict access to a peripheral device,
such as a CD-ROM. You manage the mechanism locally. If device allocation is not
enabled, peripheral devices are protected only by file permissions. For example, by
default, peripheral devices are available for the following uses:
■ Any user can read and write to a diskette or CD-ROM.
■ Any user can attach a microphone.
■ Any user can access an attached printer.
Device allocation can restrict a device to authorized users. Device allocation can also
prevent a device from being accessed at all. A user who allocates a device has
exclusive use of that device until the user deallocates the device. When a device is
deallocated, device-clean scripts erase any leftover data. You can write a device-clean
script to purge information from devices that do not have a script. For an example, see
“Writing New Device-Clean Scripts” on page 98.
Attempts to allocate a device, deallocate a device, and list allocatable devices can be
audited. The audit events are part of the ot audit class.
For more information on device allocation, see the following:
■ “Managing Device Allocation (Task Map)” on page 81
■ “Device Allocation” on page 92
■ “Device Allocation Commands” on page 93
Controlling Access to Machine Resources
As system administrator, you can control and monitor system activity. You can set
limits on who can use what resources. You can log resource use, and you can monitor
who is using the resources. You can also set up your machines to minimize improper
use of resources.
Limiting and Monitoring Superuser
Your system requires a root password for superuser access. In the default
configuration, a user cannot remotely log in to a system as root. When logging in
remotely, a user must log in with the user’s user name and then use the su command
to become root. You can monitor who has been using the su command, especially
those users who are trying to gain superuser access. For procedures that monitor
superuser and limit access to superuser, see “Monitoring and Restricting Superuser

Configuring Role-Based Access Control to Replace
Superuser
Role-based access control, or RBAC, is designed to limit the capabilities of superuser.
Superuser, the root user, has access to every resource in the system. With RBAC, you
can replace root with a set of roles with discrete powers. For example, you can set up
one role to handle user account creation, and another role to handle system file
modification. When you have established a role to handle a function or set of
functions, you can remove those functions from root’s capabilities.
Each role requires that a known user log in with their user name and password. After
logging in, the user then assumes the role with a specific role password. As a
consequence, someone who learns the root password has limited ability to damage
your system. For more on RBAC, see “Role-Based Access Control (Overview)”
on page 175.
Preventing Unintentional Misuse of Machine
Resources
You can prevent you and your users from making unintentional errors in the
following ways:
■ You can keep from running a Trojan horse by correctly setting the PATH variable.
■ You can assign a restricted shell to users. A restricted shell prevents user error by
steering users to those parts of the system that the users need for their jobs. In fact,
through careful setup, you can ensure that users access only those parts of the
system that help the users work efficiently.
■ You can set restrictive permissions on files that users do not need to access.
Setting the PATH Variable
You should take care to correctly set the PATH variable. Otherwise, you can
accidentally run a program that was introduced by someone else. The intruding
program can corrupt your data or harm your system. This kind of program, which
creates a security hazard, is referred to as a Trojan horse. For example, a substitute su
program could be placed in a public directory where you, as system administrator,
might run the substitute program. Such a script would look just like the regular su
command. Because the script removes itself after execution, you would have little
evidence to show that you have actually run a Trojan horse.
The PATH variable is automatically set at login time. The path is set through the
startup files: .login, .profile, and .cshrc. When you set up the user search path
so that the current directory (.) comes last, you are protected from running this type
of Trojan horse. The PATH variable for superuser should not include the current
directory at all.

The Automated Security Enhancement Tool (ASET) examines the startup files to
ensure that the PATH variable is set up correctly. ASET also ensures that the PATH
variable does not contain a dot (.) entry.
Assigning a Restricted Shell to Users
The standard shell allows a user to open files, execute commands, and so on. The
restricted shell limits the ability of a user to change directories and to execute
commands. The restricted shell is invoked with the /usr/lib/rsh command. Note
that the restricted shell is not the remote shell, which is /usr/sbin/rsh. The
restricted shell differs from the standard shell in the following ways:
■ The user is limited to the user’s home directory, so the user cannot use the cd
command to change directories. Therefore, the user cannot browse system files.
■ The user cannot change the PATH variable, so the user can use only commands in
the path that is set by the system administrator. The user also cannot execute
commands or scripts by using a complete path name.
■ The user cannot redirect output with > or >>.
The restricted shell enables you to limit a user’s ability to stray into system files. The
shell creates a limited environment for a user who needs to perform specific tasks. The
restricted shell is not completely secure, however, and is only intended to keep
unskilled users from inadvertently doing damage.
For information about the restricted shell, use the man -s1m rsh command to see the
rsh(1M) man page.
A more secure alternative to the restricted shell is the ssh command in Solaris Secure
Shell. Solaris Secure Shell enables users to securely access a remote host over an
unsecured network. For information about using Solaris Secure Shell, see Chapter 19.
Restricting Access to Data in Files
Because the Solaris OS is a multiuser environment, file system security is the most
basic security risk on a system. You can use traditional UNIX file protections to protect
your files. You can also use the more secure access control lists (ACLs).
You might want to allow some users to read some files, and give other users
permission to change or delete some files. You might have some data that you do not
want anyone else to see. Chapter 6 discusses how to set file permissions.

Restricting setuid Executable Files
Executable files can be security risks. Many executable programs have to be run as
root, that is, as superuser, to work properly. These setuid programs run with the
user ID set to 0. Anyone who is running these programs runs the programs with the
root ID. A program that runs with the root ID creates a potential security problem if
the program was not written with security in mind.
Except for the executables that Sun ships with the setuid bit set to root, you should
disallow the use of setuid programs. If you cannot disallow the use of setuid
programs, then you should at least restrict their use. Secure administration requires
few setuid programs.
For more information, see “Preventing Executable Files From Compromising Security”
on page 130. For procedures, see “Protecting Against Programs With Security Risk
Using the Automated Security Enhancement Tool
The ASET security package provides automated administration tools that enable you
to control and monitor your system’s security. ASET provides three security levels:
low, medium, and high. You specify an ASET security level. At each higher level,
ASET’s file-control functions increase to reduce file access and tighten your system’s
security. For more information, see Chapter 7.
Using the Solaris Security Toolkit
While ASET can be used to make a small number of security changes to a system, the
Solaris Security Toolkit provides a flexible and extensible mechanism to minimize,
harden, and secure a Solaris system. The Solaris Security Toolkit, informally known as
the JASS toolkit, is a tool that enables the user to perform security modifications to a
system. The tool can provide a report on the security status of a system. The tool also
has the ability to undo previous runs of the tool. The JASS toolkit can be downloaded
from the Sun web site, http://wwws.sun.com/security/jass. The web site
contains pointers to online documentation.
The toolkit is described in detail in Securing Systems with the Solaris Security Toolkit, by
Alex Noordergraaf and Glenn Brunette, ISBN 0-13-141071-7, June 2003. The book is
part of the Sun BluePrints Series, which is published by Sun Microsystems Press.

Using Solaris Resource Management Features
Solaris software provides sophisticated resource management features. Using these
features, you can allocate, schedule, monitor, and cap resource use by applications in a
server consolidation environment. The resource controls framework enables you to set
constraints on system resources that are consumed by processes. Such constraints help
to prevent denial-of-service attacks by a script that attempts to flood a system’s
resources.
With Solaris resource management features, you can designate resources for particular
projects. You can also dynamically adjust the resources that are available. For more
information, see Part I, “Resource Management,” in System Administration Guide:
Solaris Containers-Resource Management and Solaris Zones.
Using Solaris Zones
Solaris zones provide an application execution environment in which processes are
isolated from the rest of the system within a single instance of the Solaris OS. This
isolation prevents processes that are running in one zone from monitoring or affecting
processes that are running in other zones. Even a process running with superuser
capabilities cannot view or affect activity in other zones.
Solaris zones are ideal for environments that place several applications on a single
server. For more information, see Part II, “Zones,” in System Administration Guide:
Solaris Containers-Resource Management and Solaris Zones.
Monitoring Use of Machine Resources
As a system administrator, you need to monitor system activity. You need to be aware
of all aspects of your machines, including the following:
■ What is the normal load?
■ Who has access to the system?
■ When do individuals access the system?
■ What programs normally run on the system?
With this kind of knowledge, you can use the available tools to audit system use and
monitor the activities of individual users. Monitoring is very useful when a breach in
security is suspected. For more information on the auditing service, see Chapter 27.
Monitoring File Integrity
As a system administrator, you need assurance that the files that were installed on the
systems that you administer have not changed in unexpected ways. In large
installations, a comparison and reporting tool about the software stack on each of your
systems enables you to track your systems. The Basic Audit Reporting Tool (BART)

Another Random Scribd Document
with Unrelated Content

“We must find our way back. Can you do that, Abe?”
“Of course I can,” he assured stoutly. “Just you trust me.”
Then once more he did his best to reassure her, and after a while
succeeded in calming her somewhat. To his relief, she did not cry or
become hysterical. Over and over the boy assured her that he could
find the way back without the least trouble, and after a while he
must have convinced her this was true.
“You’re so brave, Abe,” she half smiled.
“Brave!” he exclaimed. “Me! I reckon you don’t know me! Why, I
ain’t brave at all! I’m just the biggest coward that ever lived.”
She shook her head.
“Don’t tell me that,” she said. “I know better. You’re just as brave as
you can be.”
“Well, I never knowed it before,” he said wonderingly. “If I am brave,
it is something I never found out about myself. My, but I was scared
when I saw that horse run!”
“What will Dick think when he finds us gone?”
“Oh, he will foller us, he will foller us,” nodded the boy. “Don’t you
worry about that. We’ll meet him coming.”
“But I will never dare mount that horse again.”
“Course you won’t. You will take my horse. I will ride that critter. Just
let him try to run with me!” He said this as if he really fancied he
could control the animal in case it attempted to run away with him.
The horses were submissive enough while the hunchback removed
and changed their saddles. The animal that had lately seemed crazy
and frantic with fear was now calm and docile. Apparently the
furious run had worked off the effect of the loco weed.

After a while, Abe did what he could to assist Felicia to mount, and
then managed to scramble and pull himself with no small difficulty to
the back of the other horse. They turned their animals to retrace the
course over which they had come. This, however, was to prove no
small task, for the runaway had twisted and turned in a score of
different directions during its flight; and, shortly after entering the
hills, Abe found himself quite bewildered as to the proper course
they should pursue. This fact, however, he tried to conceal from
Felicia, knowing it would add to her alarm. So they rode on and on
until finally they came to a tiny stream that lay in the little hollows of
a broad watercourse. There they found water for themselves and
horses.
Now, for the first time, Felicia began to suspect that they were not
retracing the course over which they had come.
“I don’t remember this place,” she said.
“Of course you don’t,” put in Abe quickly. “It’s a wonder you
remember anything. By jing! you must ’a’ been awful scart when
that horse was running so. Course you didn’t notice much of
anything else.”
“But are you sure, Abe—are you sure we’re taking the right course?”
“Just you leave it to me,” nodded the hunchback.
“But what if we should miss Dick? If we should not find him, what
would become of us, Abe? We might starve here, perish from thirst,
or be killed by Indians or something.”
Abe did his best to laugh reassuringly.
“Don’t you go to getting all fussed up that way. We’re all right. Let’s
hurry up now, for it is getting late.”
It was getting late. The sun hung low in the west and the afternoon
was far spent. In the boy’s heart there was a great fear that night
would come upon them and find them alone in that wild region.

When they sought to push on, the horses barely crept forward,
having been badly used up by the mad flight and pursuit.
Lower and lower sank the great golden sun.
“Abe,” said Felicia, at last, her face pale and drawn, “we’re lost.
Don’t try to deceive me; I know it.”
“Mebbe we are turned round some,” he admitted. “But that ain’t any
reason why you should get frightened. There are lots of mining
camps pretty near here. And even if we don’t find Dick—which we
shall—we will be just sure to find a town.”
The girl’s chin quivered, and it was with no small difficulty that she
kept back her tears. Finally, as the sun dropped behind the western
ranges, the horses seemed to give out entirely, refusing to proceed
farther.
“No use, Abe!” murmured Felicia. “We may as well give up and stop
right here to-night.”
“I am just awful sorry,” murmured the boy; “but don’t you be afraid.
I will guard you. I will watch you all night long. There shan’t
anything touch you, I tell you that.”
They were in a long, shallow valley where there was some scanty
herbage, and the horses were permitted to find such grazing as they
could. The western sky glowed with glorious colors, which gradually
faded and passed away, after the bright, silvery stars gleamed forth,
and the heat of the day passed before the night was fairly on them.
Felicia lay down in the silence, gazing up at the millions of stars
above them. Abe sat near, wondering what he could do to reassure
her. At length he thought of his fiddle and pulled it round from his
back, where it hung. Lifting the loop of the cord over his head, he
held the fiddle to his bosom, softly patting and caressing it. After a
time, he found his rosin and applied it to the bow. Then he put the
instrument in tune and began to play.

The music was soft, and sweet, and soothing, like the lullaby of a
mother over a sleeping child. With this sound throbbing in her ears,
Felicia finally slept. When he knew she was fast asleep, the boy
slipped off his coat and spread it over her shoulders.
The silence of the night was awesome, and he felt keenly the lonely
desolation of their situation. So again he lifted the fiddle to his chin,
and again it throbbed with such a soft, sweet melody that even the
twinkling stars seemed bending to listen.

CHAPTER XX.
THE FINDING OF THE BABES.
“Get up yere, pard,” said one of the two men who were standing
guard over Macklyn Morgan’s bivouac. “I sure hears some queer sort
of a wild critter a-yowling out yander.”
Morgan himself had been eager to push forward through the night
toward Merriwell’s valley, but the men lately released from the
custody of Pete Curry were exhausted by their tramp and refused at
nightfall to proceed farther. Therefore, it had been necessary for the
party to divide or to stop where they were and make camp. The
latter course had been decided upon.
Not feeling positive that Curry and his comrades would not follow
them, Morgan had given orders for two of the men to remain
constantly on guard through the night. Of course the guard was to
be changed at intervals. Now, shortly after nightfall, one of the
original two appointed to watch over the camp called his comrade
for the purpose of listening to certain strange sounds which came to
his ears through the darkness.
They advanced cautiously to the top of a ridge, where they halted
and stood listening. The sounds could be faintly heard now and
then.
“Whatever does yer make of it, partner?” asked the one who had
first heard them.
“Mighty quar sounds for a wild critter to make,” declared the other.

“Just what I thought. More like some sort o’ music.”
“That’s it. Dinged if it ain’t something like a fiddle!”
“Mebbe we’d better nose out that way and see if we can diskeever
what it is.”
“We leaves the camp onprotected.”
“Only for a short time. There won’t anything happen, partner. This
yere standing guard is all foolishness, anyhow.”
“I reckon you’re right.”
“Then come on.”
Together they advanced in the direction from which the strange
sounds seemed to proceed. As they made their way slowly and
cautiously into the valley they were able to hear those sounds more
and more distinctly, and before long both were satisfied that it was
indeed a fiddle.
“Well, wouldn’t that chaw yer up!” muttered one. “Whoever does yer
reckon is a-playing a fiddle out yere?”
“You have got me.”
“Well, we will certain find out. Have your gun ready, pard, in case we
runs into a muss.”
Pretty soon they saw through the starlight two horses grazing
unhobbled and unpicketed.
“Only two,” whispered one of the men. “We are as many as they be.”
“Whar are they?”
The violin was silent now, and they remained crouching and awaiting
until it began again. It led them straight to the spot where little Abe
sat playing beside the sleeping girl. So absorbed was he in his
music, with his head bowed over the violin, that he failed to observe

the approach of the men until they were right beside him and one of
them stooped and took him by the shoulder. With a cry of terror, the
boy sprang up.
Felicia awoke in great alarm and sat up, staring bewildered at Abe
and the two men.
“Oh, ho!” said one of the guards. “What is this we finds? It is a
strange bird we diskeevers.”
“There’s two,” said the other. “And, by smoke, t’other one is a gal!”
“Don’t you touch her!” shrilly screamed the boy. “Don’t you put a
hand on her!”
He endeavored to jerk himself from the grip of the man who had
seized him, but the strong hand held him fast.
“Whatever is the use to jump around this yere way?” said the man.
“We ain’t a-hurting you none. Don’t git so excited-like. Mebbe it’s a
right good thing we finds ye yere.”
“Who are they, Abe? Who are they?” whispered Felicia.
“I dunno,” confessed the boy, filled with regret and despair at his
own carelessness in permitting the men to come upon them in such
a manner while he was absorbed in his playing. “But they shan’t hurt
yer. I won’t let um.”
“Mebbe you tells us what you’re doing yere, you two kids,”
suggested one of the men.
“We’re jest lost,” said Abe.
“Only that?” laughed the man. “Well, that sure is nothing much.
Perhaps if we don’t find yer you stays lost. Where did yer get lost
from?”
“Oh, I know you won’t hurt us!” said Felicia quickly. “Why should
you? We can’t hurt any one. My horse was frightened and ran away.

Abe tried to catch him. That was how we got separated from Dick
and the others.”
“Dick! Who is this yere Dick?”
Before Abe could check her, Felicia answered.
“Why, Dick Merriwell!”
“Hey?” ejaculated one of the men. “Merriwell! Why, I sure opines
that name is a heap familiar. Dick Merriwell! Mebbe you means Frank
Merriwell?”
“No! no! I mean Dick Merriwell, his brother.”
“His brother?” burst from both of the men.
“Yes,” said Felicia.
“Then he has a brother, has he? Well, this is right interesting and no
mistake.”
“You bet it is!” ejaculated the other. “Where is this yere Dick
Merriwell, Hunchy?”
It was the old hateful name which Abe detested, and his soul
revolted against it.
“Don’t you call me Hunchy!” he shrilly exclaimed. “I won’t be called
Hunchy!”
In his excitement he actually bristled at the ruffian.
“Ho! ho!” laughed the other man. “What do yer think of that,
partner? Why, he is going ter soak me one.”
“Ho! ho!” came hoarsely. “That’s what he is. Don’t let him hit yer
hard, for he’ll sure fix yer!”
The one who had addressed Abe as “Hunchy” now removed his hat
and made a profound bow.

“I begs yer pardon, your royal highness,” he said. “If I treads on the
tail of yer coat any, I hopes you excuses me. I am not counting to
rile you up any, for I reckon you might be a whole lot dangerous.”
Abe knew this was said in derision, but he muttered:
“I won’t have anybody calling me Hunchy no more. Don’t you forget
that!”
Felicia was clinging to the cripple now, and he could feel her
trembling. He put one of his long arms about her and sought to
reassure her by a firm pressure.
“If I hasn’t offended your highness,” said the man who had asked
the question, “perhaps you tells me now where this Dick Merriwell
is?”
“Don’t tell him, Abe!” whispered the girl. “They are bad men. I’m
afraid of them.”
“I wist you could tell me,” said the boy. “I’d like ter find him myself.”
“Then he is somewhere yereabouts?”
“Don’t tell!” breathed Felicia again.
“I dunno ’bout that,” said Abe. “Mebbe he is two hundred miles away
now. I dunno.”
“Ef he is so fur, however is it you expects ter find him in a hurry?”
Barely a moment, did the boy hesitate, and then he declared:
“Why, he was a-going through to Californy on the train. We live
down on the Rio Verde. Our dad, he’s got a cattle ranch down there.
Yesterday we started out to go to Flagstaff. They wouldn’t let us go
alone, so we runned away. We thought mebbe we could find the
way there all right, but I guess we can’t.”
The two men looked at each other in the starlight and shook their
heads.

“Sounds fishy,” said one, immediately detecting that this statement
conflicted with the one made by Felicia.
“A whole lot,” agreed the other.
Felicia had gasped when she heard Abe fabricate so glibly. It was a
surprise to her, and she was almost sorry she had cautioned him not
to tell the facts to those men.
“Well, you certain is off the trail, kids, providing you’re bound for
Flagstaff. It’s right lucky we finds you. We takes you to the camp,
and mebbe your dad what you speaks of pays us well if we returns
you to him safe and sound. I opines he runs a pretty big ranch.”
“You bet,” said the boy quickly. “He’s got one of the biggest down
that way. He has jest heaps of cattle and keeps lots of
cowpunchers.”
“That being the case,” chuckled the man who had grasped the boy’s
shoulder, “he certain pays liberal when he gits his children back. Now
you two come along with us.”
He marched them along, one on either side, while his companion set
out to catch the grazing horses and bring them.
Felicia slipped from the man’s hand and again sought Abe’s side,
pressing close to him. In his ear she whispered:
“I am afraid we’re in awful trouble now, Abe. You remember the bad
men we saw in the valley before my horse ran. Perhaps these are
two of them.”
“Better be ketched by bad men than starve,” he returned, with an
effort to reassure her. “I have seen heaps of bad men before this,
and I am still alive.”
One of the horses was easily captured, but, to the surprise of the
man, the other one charged viciously at him. When he sought to get
at its head, the creature wheeled with a squeal and kicked wildly.

The man swore.
“What ails ye, drat yer?” he growled.
Then he released the docile animal and turned his attention to the
other.
To his astonishment, the creature was fierce as a raging lion. It
charged on him repeatedly, and he escaped only by the utmost
nimbleness. It squealed, and whirled, and kicked in all directions.
Apparently it fancied a thousand men were trying to capture it, and
its wild gyrations were exceedingly surprising, to say the least.
After a little, the man ran away when he found the opportunity and
stood at a distance, with his hands on his hips, watching the
cavorting creature.
“The dinged hoss is sure crazy!” he declared. “Why, its a-trying to
chew itself up, or kick itself to pieces. Never see but one critter act
that way before.”
“It’s locoed,” said Abe to the man with him.
Immediately this man called to his companion, saying:
“Let the beast alone. The kid says it’s locoed, and ef that’s so, I
reckon it’s no good to anybody.”
“Never see no locoed horse feed nateral like this one was,” returned
the other. “I opines the critter is just ugly, that’s all.”
But, suddenly uttering snorts and squeals, the horse went dashing
off into the distance, as if pursued by some frightful thing. Nor did it
stop until it had disappeared far, far away.

CHAPTER XXI.
THE LOTTERY OF DEATH.
Men were lying about on the ground, sleeping where they had
dropped. Picketed horses were grazing at a little distance. The most
of the men slept heavily, but one or two routed up as the guards
brought the boy and girl and the captured horse to the bivouac.
“Whatever has you there?” growlingly asked one of the men who
had awakened.
“Some lost children we finds near yere,” was the answer.
Macklyn Morgan, wrapped in his blanket, had also awakened. His
curiosity was aroused, and he flung off the blanket and got up.
“Children!” he said. “How does it happen that there are children in
this wretched region?”
One of the men explained how he had heard the sound of the fiddle,
which had led them to the boy and girl. He also repeated Abe’s
story, adding that it sounded “fishy.” The interest of Morgan was
redoubled at once. He immediately turned his attention to the
hunchback.
“Going to Flagstaff to meet Frank Merriwell’s brother, did you say?”
he questioned, attempting a kindly manner. “Seems to me that was
rather a crazy undertaking, my lad. And what is Frank Merriwell’s
brother doing in Flagstaff?”

“He jest said he was going there on his way to Californy,” declared
Abe, trying to stick to his original story and make it seem consistent.
“We hope to see him there.”
Felicia was silent; but she felt that Abe’s yarn was not believed by
the men.
“How did you happen to know this Dick Merriwell?” questioned
Morgan.
Abe started to reply, but faltered and stammered a little, whereupon
Felicia quickly said:
“I am his cousin.”
Instantly the man’s interest was redoubled.
“His cousin, eh?” he exclaimed. “Now we’re getting at it. Curtis, start
a fire. I want to look these children over.”
While the man thus ordered was complying Morgan continued to
question the girl and boy, but now his interest seemed centred in
Felicia.
“So you are also the cousin of Frank Merriwell?” he said. “Tell me
more about these two Merriwells. I have heard of Frank Merriwell,
and I consider him a most excellent young man. I admire him very
much.”
He endeavored to make his words sound sincere, but little Abe
fancied there was a false ring in them.
“You know Dick is Frank’s half-brother, sir,” said the girl. “He attends
school in the East. I was at school in the same place once, but the
climate didn’t agree with me, and so Frank sent me West for my
health.”
“Have you seen him lately?”
“Yes, sir.”

“When?”
“In Prescott, a few days ago. He was there, but some bad men
made a lot of trouble for him and he left.”
“This boy is your brother?” asked Morgan, indicating Abe.
“Why, yes, sir!” broke in Abe, quickly, seeing that Felicia would soon
be trapped. “I am a sort of brother; an adopted brother, you know.”
“Oh, that’s it?” said Morgan. “But if you were living on a ranch down
on the Rio Verde, how did you happen to be in Prescott when Frank
Merriwell was there?”
“Why, we jest went there. Dad he took us there,” hastily asserted
the hunchback, seeking to maintain the original deception.
“Is that true?” asked Morgan of Felicia.
She was silent.
“Of course it’s true!” indignantly exclaimed the boy.
“It seems to me that you are somewhat mixed, my child. Now, I
advise you to trust me. It will be the best thing you can do. I advise
you to tell me the truth. At this time we’re on our way to join Frank
Merriwell and help him to defend his new mines. He has many
enemies, you know. We might take you directly to him.”
“Oh, splendid!” exclaimed the girl, all her suspicions disarmed.
“Frank will be so glad! We thought, perhaps, you might be his
enemy; that’s why we were afraid of you.”
Macklyn Morgan forced a laugh, which he tried to make very
pleasant and reassuring.
“You see how wrong you were,” he said. “You see now that it’s a
mistake to try to deceive me. It’s best to tell me the truth and
nothing else. This story about living on a ranch—how about it?”

“Oh, Abe told you that when he thought you must be Frank’s
enemy,” said Felicia.
“Then it wasn’t quite true?”
“No, no.”
“And you were not on your way to Flagstaff to meet Dick Merriwell
there?”
“No; we left Prescott in company with Dick and some friends, who
were on their way to join Frank.”
Felicia hastened on and told the entire story.
Abe listened in doubt as to the wisdom of this, shaking his head a
little, but remaining silent.
“Now we’re getting at the facts,” smiled Morgan, as the fire was
started and its light fell on his face. “It’s much better for us all.”
He had assumed a free, benevolent, kindly expression, and to the
girl it seemed that he could not be deceiving them. Morgan
continued to question her until at length he learned everything he
desired.
“Now, my child,” he said, “just you rest easy. We will soon join Frank
Merriwell, and, of course, this brother of his with his friends will
arrive all right in due time.”
Morgan then stepped over to where one of the sleeping men lay and
aroused him.
“Wake up, Hackett,” he said, in a low tone. “Something mighty
important has taken place.”
He then told the man what had happened, and Hackett listened
attentively.
“It seems to me,” he said, “that these yere kids are going to be an
incumbrance on us.”

“That’s where you’re wrong,” asserted Morgan. “With the aid of
these children we ought to be able to bring Frank Merriwell to some
sort of terms.”
“I don’t see how, sir.”
“Why, it’s plain he thinks a lot of this girl. We have her. If that
doesn’t trouble him some, I am greatly mistaken.”
“Mebbe you’re right,” nodded Hackett. “I reckon I begin to see your
little game, Mr. Morgan. Let me look these yere kids over some.”
He arose and proceeded to the fire, in company with Morgan, who
cautioned him, however, to say little to the boy and girl, fearing
Hackett might make some observation that would betray the truth.
“She’s some pretty, sir,” said Gad, admiring Felicia; “though she’s
nothing but a kid. I reckon she makes a stunner when she gits
older.”
“Hush!” said Morgan. “That’s nothing to you.”
“Oh, I has an eye for female beauty!” grinned Hackett. “It’s nateral
with me.”
Suddenly, to their surprise, without the least warning, a man seemed
to rise from the ground a short distance away and walk straight
toward the fire. Hackett had his pistol out in a twinkling, but he
stood with mouth agape as he saw the newcomer was an old Indian,
about whose shoulders a dirty red blanket was draped. It was
Felicia, however, who was the most surprised, and a cry left her lips,
for she recognized old Joe Crowfoot.
Even as she uttered that cry the eyes of the old redskin shot her a
warning look that somehow silenced her. Without giving Hackett as
much as a glance, old Joe walked up to the fire, before which he
squatted, extending his hands to its warmth.
“Well, dern me, if that don’t beat the deck!” growled Hackett. “These
yere red wards of the government are a-getting so they makes

theirselves to home anywhere. And you never knows when they’re
around. Now, this yere one he pops right out o’ the ground like.”
Then he turned savagely on Joe.
“What are you prowling around yere for, you old vagrant?” he
demanded threateningly. “Who are you?”
Crowfoot rolled his little beady eyes up at the man.
“Heap flying bird,” he answered. “Go through air; go everywhere. Go
through ground. White man did him see red snake with horse’s
head? Injun ride on red snake like the wind.”
“What’s this jargon?” muttered Morgan.
“Hark!” warned the Indian, lifting a hand. “You hear the flying lizard
sing? See that big one up there. See um great green eyes.”
Then he stared straight upward, as if beholding something in the air.
Involuntarily both men looked upward, but they saw nothing above
them save the stars of the sky.
Felicia, who knew old Joe very well, was more than astonished by
his singular manner and remarkable words. Her first impulse had
been to spring up and greet him joyously, but the look from his black
eyes had stopped her. Now, as if she were a total stranger to him,
he gave her no attention. Suddenly he thumped himself on the
breast with his clinched fist.
“Injun him all iron!” he declared. “Him like pale-face iron horse.
When sun he comes up again Injun he go on white man’s iron track.
He blow smoke and fire and shriek same as iron horse.”
“Well, bat me, if the old whelp ain’t daffy!” exclaimed Hackett. “He’s
plumb off his nut, sure as shooting.”
“When Injun him lay down to sleep,” said Crowfoot, “many stars
come and jump like antelope over him. No let him sleep. Him try to

scare um away, but star no scare. Bimeby Injun he get sick. He get
up and run away. Then star chase um Injun.”
“You’re right, Hackett,” said Morgan, “He’s loony, for a fact.”
At this point one of the guards came walking up to the fire. The
moment his eyes fell on Crowfoot he uttered a shout that instantly
aroused every one of the sleeping men.
“By the great horn toads!” he exploded savagely; “that’s the old
skunk what drugged the whole bunch of us when Pete Curry nabbed
us! Whatever is he doing here?”
Without even looking up, Crowfoot began to chant a strange, doleful
song in his own language.
“The boys will certain salivate him,” asserted the guard, as the men
were rising and approaching the fire.
Old Joe apparently heard nothing and saw nothing. That singular
chant continued.
“He is dead loony,” said Hackett.
“Then mebbe he’s been taking some of his own dope,” growled the
guard. “The boys will knock some o’ his looniness out o’ him, you
bet!”
As the men gathered around, a number of them recognized the aged
redskin, and immediately there was a great commotion. Several
drew their weapons, and it seemed that Joe would be murdered on
the spot. With a scream of terror, Felicia flung herself before the old
man, to whom she clung.
“No! no! no!” she cried. “You shall not hurt him!”
In the excitement old Joe whispered in her ear:
“Keep still, Night Eyes. Um bad men no hurt Joe. Him touched by
Great Spirit. Nobody hurt um man touched by Great Spirit.”

This, then, was the old fellow’s scheme. This explained how it
happened that he dared venture into the nest of desperadoes.
Among the Indians of all tribes a deranged man is regarded with
awe as one who has felt the touch of the Great Spirit. No redskin will
harm a deranged person, believing the vengeance of the Great
Father must fall on whoever does such a thing. Shrewd as he was,
Crowfoot had not yet discovered that palefaces did not regard crazed
people with such a feeling of awe.
“Take the girl away,” roared several of the men. “Let us settle with
the old Injun.”
If Morgan thought of interfering, he was too late, for rude hands
seized Felicia and dragged her away, in spite of her struggles. She
cried and pleaded, but all her efforts were useless. Crowfoot paid no
attention to her, nor did he heed the threatening weapons in the
hands of the ruffians. Rising to his feet, he did a solemn dance
around the fire, at the same time continuing his doleful chant.
“That yere certain is a death dance for him,” muttered Hackett, who
realized that the men were aroused to a pitch at which they would
insist on wiping the fellow out.
“The black moon him soon come up,” said Joe, standing with one
hand outstretched as he finished his dance. “Then we see spirits of
many dead warriors chase um buffalo over it.”
“You will have a chance to take a chase with the rest o’ the bunch,”
snarled one of the men. “Stand back, boys, and watch me cook
him.”
“Hold on!” cried another, catching the man’s wrist. “I opine I am in
this yere.”
Immediately an argument arose as to which of them should have
the satisfaction of killing the Indian who had once fooled them so
thoroughly. While this was taking place Joe continued, apparently
oblivious of his danger, talking of flying horses and a dozen other

impossible creatures. He must have realized that his apparent
madness was making no impression on these men, but he seemed
determined to play the game through to the finish. At length, he
squatted again beside the fire, resuming his doleful chant.
By this time it had been settled that some one of the party should
have the privilege of shooting the Indian, for it was agreed that to
waste a number of bullets on him was folly. There was some
discussion as to the manner of choosing the slayer, but the
desperadoes finally decided on drawing lots.
Hackett, who took no part in this demand for the Indian’s life, was
chosen to prepare the lots, which he did. Then the men eagerly
pressed forward to draw. The one who drew the shortest piece was
to be the “fortunate” individual. All the while Crowfoot was guarded
by men with drawn and ready weapons. Had he made an effort to
get away he would have been riddled immediately.
Finally the lots were compared, and a half-blood Mexican, with
leathery skin, drooping mustache, deep-furrowed face, and matted
black hair, was the one who held the shortest piece. He laughed as
he displayed it.
“Stand back!” he cried, flashing a pistol and striding forward to
within four paces of the Indian. “I will settle him with one piece of
lead.”
Then, as this wretch lifted his weapon, old Joe realized at last that
his game had failed utterly. There was no escape for him. His long
life had led him at last to this, and he believed he stood at the
gateway of the happy hunting grounds. Had there been hope of
escape he would have made the attempt. Now, as he still crouched
by the fire, he drew his red blanket over his head, and from beneath
its muffling folds came the sad and doleful chant of the redman’s
death song.
The executioner stood fair and full in the firelight. He brought his
weapon to a level and a shot rang out. It was not he, however, who

fired. From somewhere near at hand a report sounded, and the
pistol flew from his hand as the bullet tore through his forearm. A
yell of pain escaped his lips.
Instantly the ruffians were thrown into the utmost confusion. Feeling
that they were about to be attacked, they hastened to get away
from the fire, the light of which must betray them to the enemy.
In spite of his age, like a leaping panther, old Joe shot to his feet.
With one hand he seized little Abe, whom he snatched clear of the
ground. And the next instant the old savage was running for his life.
Two or three shots were fired, but in the excitement Crowfoot was
untouched.
They were given no further time to turn their attention on him. From
out of the shadows came a single horseman, bearing straight down
upon them, his weapons flashing. The recklessness of this charge
and the astounding suddenness with which it came was too much
for the nerves of those men.
Felicia had been released by the man who was holding her as the
first shot was fired. This man pulled a weapon and fired once at the
shadowy horseman, after which he ran like a frightened antelope,
for a screaming bullet had cut his ear. It seemed that the horseman
meant to ride Felicia down. In her fear she stood still, as if turned to
stone, which was the best thing she could have done.
As he swept past her, the rider swung low to one side in the saddle,
and somehow one strong young hand grasped her and snatched her
from the ground. She felt herself lifted with such suddenness that
her breath seemed snapped away, and then she lay across the horse
in front of the rider, who now bent low over her.
Bullets whined, and whistled, and sang about them, but some good
fairy must have guarded them, for they were untouched. On they
went. The sounds of irregular shooting fell farther and farther behind
them.

Felicia had not fainted, although her senses swam and she seemed
on the verge of losing consciousness. She could not understand just
what had taken place. Suddenly her rescuer began to laugh, and a
strange, wild, boyish laugh it was. It thrilled her through and
through.
“Dick!” she gasped. “Oh, Dick!”
He straightened up and lifted her, holding her before him with one
strong arm.
“Felicia!” he exclaimed, “are you hurt?”
“Oh, Dick! Dick!” she repeated, in wonder. “And is it you?”
“You are not hurt?” he persisted in questioning.
“No, Dick—no.”
“Thank goodness!”
“But how was it? My head is swimming; I can’t understand. I am
dazed.”
“Well, I fancy I dazed those fine gentlemen a little,” said the boy.
“Felicia, I have been searching, searching everywhere for you. We
followed your trail as well as we could. When night came we had not
found you. I couldn’t rest. What fate it was that led me to those
ruffians I cannot say, but I believe the hand of Heaven was in it. In
their excitement over Crowfoot none of them heard my approach. I
was quite near when that brute lifted his weapon to shoot Joe. I
didn’t want to kill him, and I fired at his arm. It was a lucky shot, for
I hit him. He stood between me and the firelight, so that the light
fell on the barrel of my pistol. Crowfoot took his cue quickly enough,
for I saw him scamper.”
“How brave you are! How brave you are!” murmured the girl, in
untold admiration. “Oh, Dick, I can’t believe it now.”

“It was not such a brave thing, after all,” he said. “I suppose most
people would call it folly. But I had to do it. Why, old Joe saved my
life a dozen times when I used to hunt with him years ago. He loved
me as a father might love a son. You see it was impossible for me to
keep still and see him murdered. I had to do something to save him.
He can hide like a gopher on the open plain.”
“But Abe, Dick—Abe?”
“I saw Crowfoot snatch him up as he ran. We must leave Abe to old
Joe.”
“Listen, Dick! Are they pursuing us?”
“We have the start on them, Felicia, and I don’t believe they will be
able to overtake us if they try it.”
Through the night they rode. At the first opportunity Dick turned
from his course and doubled in a manner intended to baffle the
pursuers.
“It will be a long pull back to Bart and the others, Felicia,” he said;
“but I think we can make it all right. For all of the time I have spent
at school, I have not forgotten the lessons taught me by Crowfoot
when I was a mere kid. He taught me to set my course by the stars,
the wind, the trees, by a score of things. To-night our guide shall be
the stars.”
Brad Buckhart was worried and troubled greatly over Dick’s long
absence, and was on guard where they had camped as night fell.
The Texan tramped restlessly up and down, now and then pausing
to listen. The others slept. Wiley snored lustily and muttered in his
sleep.
“Avast, there!” he mumbled. “Put her to port, you lubber!”
Then, after snoring again in the most peaceful manner, he broke
out:

“Right over the corner of the pan, Breck, old boy. Let’s see you make
a home run off that bender!”
Brad moved still farther away that he might listen without being
disturbed by the sailor. Far in the night he seemed to hear a sound.
Kneeling, he leaned his ear close to the ground and listened
attentively.
“Horseman coming,” he decided. “It must be Dick—it must be!”
Finally the hoofbeats of the approaching horse became more and
more distinct. Then through the still, clear night came a clear, faint
whistle.
“Dick it is!” exclaimed the Texan joyously.
Dick it was, and with him he brought Felicia safely back to them.
They did not arouse the others, but she was wrapped in blankets
and left to sleep, if possible, through the remainder of the still, cool
night. Young Merriwell’s story filled the Texan with unbounded
astonishment and admiration. He seized Dick’s hand and shook it
with almost savage delight.
“Talk about a howling terror on ten wheels!” he exclaimed. “Why,
you simply beat the universe. You hear me gurgle! Now you just turn
in, for I reckon you’re a whole lot pegged out.”
“Well, sleep won’t hurt me if I can corral some of it,” acknowledged
Dick.
Brad continued to stand guard, thinking that later he would arouse
one of the others to take his place. His restlessness and worry had
passed somewhat, and after a time he sat down, thinking over the
startling things that had happened. It was thus that, exhausted
more than he knew, he finally slid to the ground and also slept. The
night passed without any of them being disturbed. But in the
morning the first man to awaken was Pete Curry, who sat up,
rubbing his eyes, and uttered a shout of astonishment. The
remaining sleepers awoke and started up.

What they saw astounded them no less than it had Curry, for on the
ground near at hand lay little Abe, with Joe Crowfoot’s dirty red
blanket tucked about him, and within three feet sat the redskin,
calmly and serenely smoking his pipe.
Dick flung off his blanket and was on his feet in a twinkling.
“Crowfoot!” he joyously cried, rushing forward with his arms
outstretched.
For one who complained of rheumatism and advancing age the
redskin rose with remarkable quickness. Usually stolid and indifferent
in manner, the look that now came to his wrinkled, leathery face was
one of such deep feeling and affection that it astounded every one
but himself. The old man clasped Dick in his arms as a father might
a long-lost son. To Curry and his companions this was a most
singular spectacle. Curry had seized a weapon on discovering
Crowfoot. He did not use it when the old fellow remained silent and
indifferent after his shout of astonishment and alarm.
That the boy should embrace the Indian in such an affectionate
manner seemed almost disgusting to Curry and his assistants, all
three of whom held Indians in the utmost contempt. For a moment
it seemed that the old man’s heart was too full for speech. Finally,
with a strange tenderness and depth of feeling in his voice, he said:
“Injun Heart, Great Spirit heap good to old Joe! He let him live to
see you some more. What him eyes see make him heart swell with
heap big gladness. Soon him go to happy hunting ground; now him
go and make um no big kick ’bout it.”
“Joe, I have longed to see you again,” declared Dick, his voice
unsteady and a mist in his eyes. “Sometimes my heart has yearned
for the old days with you on the plains and amid the mountains. I
have longed to be with you again, hunting the grizzly, or sleeping in
the shade by a murmuring brook and beneath whispering trees.
Then you taught me the secrets of the wild animals and the birds. I
have forgotten them now, Joe. I can no longer call the birds and tiny

animals of the forest to me. In that way I am changed, Joe; but my
heart remains the same toward you, and ever will.”
Now the old redskin held Dick off by both shoulders and surveyed
him up and down with those beady eyes, which finally rested on the
boy’s handsome face with a look of inexpressible admiration.
“Heap fine! Heap fine!” said the old man. “Joe him know it. Joe him
sure you make great man. Joe him no live to see you have whiskers
on um face, but you sure make great man. Joe him getting heap
close to end of trail. Rheumatism crook him and make um swear
sometime.”
“Don’t talk about getting near the end of the trail, Crowfoot,”
laughed Dick, whose heart was full of delight over this meeting. “You
old hypocrite! I saw you last night! I saw you when you took to your
heels after I perforated the gentleman who contemplated cutting
your thread of life short. Rheumatism! Why, you deceptive old
rascal, you ran like a deer! If your rheumatism was very bad, you
couldn’t take to your heels in that fashion.”
Crowfoot actually grinned.
“Injun him have to run,” he asserted. “Bullets come fast and thick. If
Injun him run slow mebbe he get ketched by bullet.”
Little Abe had risen on one elbow, the blanket falling from his
shoulders, and watched the meeting between Dick and the old
savage. Felicia also was awakened, and now she came hastening
forward, her dark eyes aglow and a slight flush in her delicate
cheeks.
“Joe! Joe! have you forgotten me?” she asked.
The redskin turned at once and held out his hands to her.
“Night Eyes,” he said, with such softness that all save Dick and
Felicia were astonished, “little child of silent valley hid in mountains,
next to Injun Heart, old Joe him love you most. You good to old Joe.

Long time ’go Joe he come to valley hid in mountains and he sit by
cabin there. He see you play with Injun Heart. Warm sun shine in
valley through long, long day. All Joe do he smoked, and sat, and
watched. Bimeby when Night Eyes was very tired she come crawling
close up side old Joe and lean her head ’gainst Joe, and sleep shut
her eyes. Then old Joe him keep still. When Injun Heart he come
near old Joe, him say, ‘Sh-h!’ He hold up his hand; he say, ‘Keep
much still.’ Then mebbe Night Eyes she sleep and sleep, and sun he
go down, and birds they sing last good-night song, and stars shine
out, and old Joe him sit still all the time. Oh, he no forget—he no
forget!”
Somehow the simple words of the old redskin brought back all the
past, which seemed so very, very far away, and tears welled from
Felicia’s eyes.
“Oh, those were happy days, Joe—happy days!” she murmured. “I
fear I shall never be so happy again—never, never!”
“Oh, must be happy!” declared the old fellow. “Dick him make um
Night Eyes happy. Him look out for Night Eyes.”
“Just the same,” she declared, “I would give anything, anything, to
be back in that valley now, just as I was long, long ago.”
With his head cocked on one side, Cap’n Wiley had been watching
the meeting between the Indian and his young friends. Wiley now
turned to Buckhart and remarked:
“I am learning extensively in this variegated world. As the years roll
on my accumulation of knowledge increases with susceptible
rapidity. Up to the present occasion I have been inclined to think
that about the only thing a real Injun could be good for was for a
target. It seems to my acute perception that in this immediate
instance there is at least one exception to the rule. Although yonder
copper-hued individual looks somewhat scarred and weather-beaten,
I observe that Richard Merriwell hesitates in no degree to embrace
him. Who is the old tike, mate?”

“Why, old Joe Crowfoot!” answered Brad. “The only Indian I ever
saw of his kind.”
Immediately Wiley approached old Joe, walking teeteringly on the
balls of his feet, after his own peculiar fashion, made a salute, and
exclaimed:
“I salute you, Joseph Crowfoot, Esquire, and may your shadow never
grow less. May you take your medicine regularly and live to the ripe
round age of one hundred years. Perhaps you don’t know me.
Perhaps you haven’t heard of me. That is your misfortune. I am
Cap’n Wiley, a rover of the briny deep and a corking first-class
baseball player. Ever play baseball, Joe, old boy? It’s a great game.
You would enjoy it. In my mind’s eye I see you swing the bat like a
war club and swat the sphere hard enough to dent it. Or perchance
you are attempting to overhaul the base runner, and I see him
fleeing wildly before you, as if he fancied you were reaching for his
scalp locks.”
“Ugh!” grunted old Joe. “No know who um be; but know heap good
name for um. Joe he give you name. He call you Wind-in-the-head.”
At this the others, with the exception of Wiley himself, laughed
outright. The sailor, however, did not seem at all pleased.
“It’s plain, Joseph,” he observed, “that you have a reckless little habit
of getting gay occasionally. Take my advice and check that habit
before it leads you up against a colossal calamity.”
“Wind-in-the-head he talk heap many big words,” said the Indian.
“Mebbe sometime he talk big words that choke him.”
“That’s a choke, Wiley,” laughed Dick.
“And that certainly is the worst pun it has ever been my misfortune
to hear,” half sobbed the sailor. “One more like that would give me
heart failure. Did you ever hear of the time I had heart failure in that
baseball game with the Cleveland Nationals? Well, mates, it was——”

Welcome to our website – the perfect destination for book lovers and
knowledge seekers. We believe that every book holds a new world,
offering opportunities for learning, discovery, and personal growth.
That’s why we are dedicated to bringing you a diverse collection of
books, ranging from classic literature and specialized publications to
self-development guides and children's books.
More than just a book-buying platform, we strive to be a bridge
connecting you with timeless cultural and intellectual values. With an
elegant, user-friendly interface and a smart search system, you can
quickly find the books that best suit your interests. Additionally,
our special promotions and home delivery services help you save time
and fully enjoy the joy of reading.
Join us on a journey of knowledge exploration, passion nurturing, and
personal growth every day!
ebookbell.com

Solaris 9 Security Ashish Daniel Wilfred Niit Corporation

More Related Content

Similar to Solaris 9 Security Ashish Daniel Wilfred Niit Corporation (20)

Recently uploaded (20)

Solaris 9 Security Ashish Daniel Wilfred Niit Corporation