I'm sponsoring this case for Jan Friedel. I believe it qualifies
for self review and am marking it "closed approved automatic."
I'm happy to turn it into a fast track and set the timer if anyone
believes I've misjudged.
A copy of the audit(1m) man page form PSARC/2009/642 is in the case
directory.
Gary..
Details:
=======
As part of the implementation of PSARC/2009/642 "audit_control(4) EOL and
removal" the existing Audit Control Rights Profile needs to be updated.
The Audit Control Rights Profiles doesn't seem to have been ARCed or
have a explicit taxonomy. A single Audit Control Rights Profile doesn't
enable Role Based Access Control (RBAC) Separation of Duty[fn *].
This case removes the ability to configure the svc:/system/auditd service
from current Audit Control Rights Profile and adds a new Audit Configuration
Rights Profile to configure the auditd service. Once integrated,
the Audit subsystem Rights Profiles will be
Audit Configuration allows an administrator to configure the
Solaris Audit subsystem parameters.
Audit Control allows an administrator the use of audit(1m) to
start, stop, refresh the audit service.
Audit Review allows an administrator to review the audit trail.
The Audit Configuration Rights Profile is introduced by this case.
The Audit Control Rights Profile's capabilities are unchanged from Solaris 10.
However, the ability to configure parts of the Solaris audit
subsytem was introduced in this Rights Profile by earlier
OpenSolaris/Solaris 11 work.
The Audit Review Rights Profile's capabilities are unchanged.
This case requests a Minor Release Binding.
-----
[*]
RBAC separation of duty is the security principle that involves the use
of multiple roles (or users) to perform different steps in an activity.
For example, one role to do a configuration activity and another role
to activate that configuration.
_______________________________________________
opensolaris-arc mailing list
opensolaris-arc@opensolaris.org
