Hi Jason, Please see reply in line.
Jason Zhao said the following on Tuesday 12 May 2009 09:23 AM: > Hi, Experts, > > After ARC review, per ARC committee's comments, > the snort source code needs to be modified. > > In the summary, the change includes: > 1. Remove all the 64-bit delivery, because from > the message of snort community, 64-bit is only > optional, its function is same with 32-bit and > will be same. To deliver 64-bit binaries may > bring risk to Solaris per ARC committee's idea. > So I remove the building 64-bit source code. > > 2. Add SMF, since snort can be run as a daemon. It > is necessary to add it into SMF service per ARC's > idea. So I add snort.xml as SMF manifest and snortd > as executable script. > > 3. Add RBAC changes, since snort relates to security, > ARC suggest to give user of snort on Solaris limited > privileges. The privileges include SMF privilege and > the privilege of running snort. Here bring an issue, > I am not sure how to change the RBAC files. Could anybody > has experience to tell me(wireshark, tcpdump...)? > > In my understanding, I think for sfwnv-gate, I could do > the RBAC work by modifying usr/src/common/rbac/*. In > this way, I modified the "auth_attr" and "exec_attr" by > adding the "snort" item. > > Could anyone tell me if it is the correct process? Thanks! > Yes. In sfw-gate, the files under usr/src/common/rbac dir have to be modified to to add any new RBAC entries. > > Here is the webrev: > http://cr.opensolaris.org/~jxzhao/snort/ > > > Please review it and tell me your comments. > The webrev looks mainly good to me. Please find below few comments: 1. The METADATA file needs to conform to the new guidelines set by Norm. Please refer below link for more info. http://wikis.sun.com/display/SFWNotes/METADATA 2. In install-sfw, snort.xml itself is getting installed as snortd. I guess you intended to install snortd SMF service method file at line 41. 40 _install N snort.xml ${ROOT}/var/svc/manifest/network/snort.xml 444 41 _install N *snort.xml* ${ROOT}/lib/svc/method/snortd 555 3. In snort.xml, in 'start' exec_method do you require method_context to define user & group as noaccess and set basic privilege set ? AFAIK, the privs specified in the authorizations you have added into RBAC files should just be enough. Please check. 4. In SUNWsnortr/prototype_com, entry for auth_attr file is missing. please add the same. 5. In SUNWsnortr/pkginfo.tmpl, please add the version info at the end of DESC field (as specified in SUNWsnortu/pkginfo.tmpl) Thanks, Srirama -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/sfwnv-discuss/attachments/20090512/072510ae/attachment.html>
