> > Can I please ask for the 20Q document to be reposted in ASCII text
> > so that it is easier for to quote and comment on it?
[ taking psarc at sun.com off the mail as it is included in psarc-ext.
This should stop the case log getting two copies of mail.]
> 5. What are the security implications of this project? (Gary Winiger to
> expand).
> 9. Is systems administration needed for your project? If so,
>
> * How is the project administered, and what sort of review process has
> this user
> interface undergone?
> * Is there a means of aggregating management and/or configuration with
> other related
> projects?
> * Are there any external (to Solaris) management interfaces to consider,
> or being
> consumed?
As I commented in ARC business today, here are my proposals for updates to
the 20 Questions. The part noted as References or Appendix should be
placed by the editor as appropriate. I'll try to update it soon with
a short summary of what's in the specific policy/best practice and/or
were it might be applicable. Are there other policies/best practices
that should be added for example interface taxonomy and release binding?
There are two cases referenced that I need to finish redacting. I should
do that even if their references don't make the editorial cut ;-)
The stuff enclosed in '[' ']' is intended for editor choice.
Gary..
==============================================================================
5. Security.
Projects need to be aware of the overall security of the system and how
their components affect it. Which parts of this project are critical
to the security of the system to avoid such unintended consequences
as unauthorized system entry, unauthorized access to or modification of
data, elevation of privilege, denial of service, ...?
A number of specific policies and practices address various aspects of
the security of the system. They are found in [the references or appendix
below]. Which of them are applicable to this project and how does this
project address them?
================================================================================
9. System Administration.
Projects that require or deliver administrative interfaces are often by
their nature security components of the system and should likely address
the Security question [with attention to RBAC and Audit].
Does this project require administration (i.e., configuration or management)?
Where does its administration fit other related projects?
Does it consume any external administrative/management interfaces?
Does this project deliver its own administration along with the other
components? Is this project an administration interface for other projects?
If so, how is administration (configuration/management) addressed?
==============================================================================
References or Appendix:
Some specific security policy references are:
-------
Plugable Authentication Modules
http://opensolaris.org/os/community/arc/policies/PAM/
Audit Policy
http://opensolaris.org/os/community/arc/policies/audit-policy/
Service Management Facility (SMF) usage
http://opensolaris.org/os/community/arc/policies/SMF-policy/
Install-Time Security
http://opensolaris.org/os/community/arc/policies/ITS/
Network Install-Time Security
http://opensolaris.org/os/community/arc/policies/NITS-policy/
Secure - by - Default
http://opensolaris.org/os/community/arc/policies/secure-by-default/
-------
Some general security best practice references are:
-------
When to use setuid -vs - RBAC roles and profiles
http://opensolaris.org/os/community/arc/bestpractices/rbac-intro/
Building RBAC Rights Profiles
http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/
Adding RBAC Authorizations
http://opensolaris.org/os/community/arc/bestpractices/rbac-auths/
Reusable Passwords in Command Line Arguments and Environment Variables
http://opensolaris.org/os/community/arc/bestpractices/passwords-cli/
Storing Reusable Passwords on a FileSystem
http://opensolaris.org/os/community/arc/bestpractices/passwords-files/
Administrative and Security Precedents and Policies
http://opensolaris.org/os/community/arc/bestpractices/overview-admin-security/
Security Questions
http://opensolaris.org/os/community/arc/bestpractices/security-questions/
-------
Role Based Access Control and Privileges ARC cases are:
-------
RBAC:
http://opensolaris.org/os/community/arc/caselog/1997/332
* PSARC/1997/332 Execution Profiles for Restricted Environments
Need to redact.
Privilege:
http://opensolaris.org/os/community/arc/caselog/2002/188
* PSARC/2002/188 Least Privilege for Solaris
Partially redacted. Need to complete.
