Gary Winiger wrote: > At PSARC business today, we discussed a change to question 8 to prompt > project teams to consider not only if they run in zones, but also if > they affect Branded zones. Some of the motivation for adding > "Branded zones" came from a question from the security group as to how > to cover taking into account Trusted Extensions (TX). > > It was suggested that something also be added to the security question #5. > I've created this case to capture my initial proposals and any conversation. > > I'd like to receive input in a bounded time, so I've set a timer for > 25 Mar, 2009. > > Thanks, > Gary.. > > =============================================================================== > Proposal 1: > > 5. Projects need to be aware of the overall security of the system and how > their components affect it. Which parts of this project are critical to > the security of the system to avoid such unintended consequences such > as unauthorized system entry, unauthorized access to or modification of > data, elevation of privilege, denial of service, ...? Does this project > - require elevated privilege? > + require elevated privilege? Does the project interact with or affect > + Solaris Trusted Extensions (TX)? >
The question that comes to my mind is - would I know if my project affects TX? I've never run TX, and I imagine I'm not alone in that. Same for labeled security. -tim > A number of specific policies and practices address various aspects of > the security of the system. They are found in appendix 1. Which of > these are applicable to this project, and how are they addressed? > > Proposal 2: > > 5. Projects need to be aware of the overall security of the system and how > their components affect it. Which parts of this project are critical to > the security of the system to avoid such unintended consequences such > as unauthorized system entry, unauthorized access to or modification of > - data, elevation of privilege, denial of service, ...? Does this project > + data, elevation of privilege, denial of service, violation of labeled > + security, ...? Does this project > require elevated privilege? > > A number of specific policies and practices address various aspects of > the security of the system. They are found in appendix 1. Which of > these are applicable to this project, and how are they addressed? >