> >> > ? ? You could talk with the TX team.
>
> As with all the 20Qs, there is significant value in having something
> more than an open ended question that teams can't fully comprehend.
> Some sort of context (checklist, description, URL, Best Practice,...)
> so that the teams can say "hey, that sounds like something our stuff
> might or should do" rather than "No, we don't do {TX, branded zones,
> zones}, ignore the question - uhm, what is {TX, branded zones,
> zones}?".
We seemed to have gotten a discussion mostly around proposal 1.
and TX specifically. Based upon both the comments in the mail
log and out of band comments, I'd like to bring proposal 2
as my concrete proposal (an updated 20questions is in the case
directory):
5. Projects need to be aware of the overall security of the system and how
their components affect it. Which parts of this project are critical to
the security of the system to avoid such unintended consequences such
as unauthorized system entry, unauthorized access to or modification of
| data, elevation of privilege, denial of service, violation of labeled
| security, ...? Does this project require elevated privilege?
A number of specific policies and practices address various aspects of
the security of the system. They are found in appendix 1. Which of
these are applicable to this project, and how are they addressed?
Appendix 1. Security references
+ Labeled Security:
+ http://en.wikipedia.org/wiki/Multilevel_security
+ See also PSARC/2002/762 Layered Trusted Solaris
+ http://opensolaris.org/os/community/arc/caselog/2002/762
Specifically to John's thoughtful comments, yes, projects
can always ignore a question from ignorance and adding labeled
security to the list of unintended consequences doesn't really
change that. The previous for of question 5 presupposed
understanding of a number of other security concepts. Case owners
are ultimately responsible for helping/guiding projects
understanding.
Gary..
P.S. When the case log comes back on line, 2002/762 should be
viewable. I've redacted it.
