> 2.0 Project Summary
> 2.1 Project Description
>
> This project introduces the package of Openwsman 2.1.0
> into the SFW consolidation.
I'm confused here about a number of things.
* Is this a service and therefore needing to be controlled by SMF? I
see what looks like a possible mention of a service manifest, but no mention
of an FMRI, method context, administrative authorizations, Rights Profiles,
properties such as local_only, .... I'd expect the man page to discuss at
least the FMRI, Rights Profiles and properties.
* The man page states: "openwsmand service can be started only by
a privileged user." In the light of Solaris Privileges, SMF and RBAC
what does this mean?
* The Check List says this project uses PAM and the man page shows:
/etc/pam.d/openwsman:
#%PAM-1.0
auth required pam_unix2.so nullok
auth required pam_nologin.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass
use_authtok
session required pam_unix2.so none
None of these PAM modules seem to be delivered by this project and
are otherwise not part of OpenSolaris. Furthermore, the imported interfaces
do not show libpam.
* The imported interfaces appear to show the use of OpenSSL. IIRC,
it's use is contracted. I don't find a mention of the contract.
* This project appears to do authentication, yet I don't see mention
of how that authentication is audited or a discussion why it shouldn't be.
The reference for the Check List auditing section seems to say to me if the
project does authentication, it audits that authentication.
* The Check List says: "The openwsman daemon is sufficiently privileged
to authenticate the wsman client. There will be no request for a password
change coming in over the wire via WS-Man." With Solaris Privileges, what
does "sufficiently privileged ..." mean? If there is no password change over
the wire, how exactly are passwords managed? htpasswd/htdigest do not appear
to be part the imported interfaces.
* The Check List says: "If the openwsman daemon is configured to use
PAM, then the service configuration file provided by the administrator in
/etc/pam.d will be used." Is PAM configured? See above about the use
of PAM.
* What is the analysis of the security implications of this project
vis-a-vis currently delivered Sun SNMP? Other than viewing/reporting, what
type of administrative file/database modifications/changes does this project
permit?
Gary..
