| Solaris |
|
|
Administrative and Security Precedents and Policies
Administrative and Security Best Practice and Policy Overview
A list of Precedents and Policies for administrative/security related CLIs/functions has been available in the SAC logs for some time. This is a summary:
Precedents.
PSARC/1999/555 Getting with the Freeware Program
* Established an initial set of non-ON/AT&T/UCB
CLIs and supporting libraries to be shipped
with/supported with Solaris.
The risks pointed out included keeping up to date.
These all shipped in /usr/{bin,lib}/ and didn't have
name conflicts with existing Solaris CLIs/libraries
PSARC/2000/488 Solaris/Linux Commands Compatibility
* Established the "External" interface taxonomy.
* Set aside the ``Sun Application Binary Guarantee''
for these CLIs.
* Established a residence (/usr/sfw) outside the
default Solaris paths so customers wouldn't treat
as under Sun ABI Guarantee/Support.
* Added a number of CLIs, some with 'g' prefixes.
* Established the following Security concerns/policies
guidelines/requirements for suid or otherwise privilege
programs:
- All authentication is to be performed through PAM
(See PAM policy below).
- Interaction with the Solaris auditing framework
is "highly desirable". N.B. a later SAC policy
(see below) establishes that appropriate audit
is required using the Solaris Audit framework.
PSARC/2001/799 Taxonomy Modification to 1999/555
* Clarified the taxonomy of the PSARC/1999/555 interfaces
from Standard to Evolving (Committed in the PSARC/2005/220
taxonomy) and External (Volatile in the PSARC/2005/220
taxonomy). To align with PSARC/2000/488 expectations.
PSARC/2005/185 Enabling serendipitous discovery
* Notes that "External" taxonomy is largely misapplied.
* Breaks the requirement for a separate residence
for "External" interface taxonomy interfaces to
reside in /usr/sfw.
* Reinforces that FOSS still comes under the process
review rules.
* Suggests a migration out of /usr/sfw into /usr.
PSARC/2005/220 New Public Taxonomy
* Does away with the misapplied "External" taxonomy.
* Establishes interface taxonomies based on how Sun
will support the interfaces rather than the perceived
tie in with the source of the interface:
- Committed ~-- can be used with confidence that binaries
will continue to run without change across patches and
minor releases. Encompasses formal (and de facto)
standards.
- Uncommitted ~-- can be used with less confidence that
binaries will continue to run without change across
minor releases. Not a license for gratuitous change,
but a more wiggle room.
- Volatile ~-- interface can change at any time for any
reason. Use at your own risk. Often appropriate
for functionality over which Sun values change over
stability.
- Not-an-Interface ~-- just that, don't even think of
programming to this. Normally meant for such things
as human readable output or icon placement or menu
contents.
PSARC/2007/048 Include GNU coreutils 6.7
* Established a bunch "GNU" commands considered core
in /usr hierarchy.
* Establishes a "/usr/gnu" hierarchy for commands the
conflict with existing Solaris commands.
* Reinforces the use PAM and Solaris Audit requirements
from 2000/488
Policies.
http://opensolaris.org/os/community/arc/policies/shared-sharable/ Packaging rules for system extensions * Establishes the packaging rules such as components may only be delivered from one package. This is the famous PSARC/1991/061 case. * Gives some implementation guidance. http://opensolaris.org/os/community/arc/policies/libraries/ Library and Shared Object Requirements * Establishes rules for shared library naming and versioning. * Gives some implementation guidance. http://opensolaris.org/os/community/arc/policies/SMF-policy/ Service Management Facility (SMF) usage * Established the use of SMF for all Solaris services. * Gives requirements and details for meeting the "Secure by Default" (SBD) and "Role Based Access Control" (RBAC) project policies. * Gives advice on how to correctly configure services. http://opensolaris.org/os/community/arc/policies/NITS-policy/ Network Install-Time Security * Security SWG policy for security during and as the result of installation. * Defines security requirements for inbound and outbound network communications http://opensolaris.org/os/community/arc/policies/PAM/ PAM (Plugable Authentication Modules) usage requirements * Establishes the use of PAM for all authentication and reauthentication. * Includes details and guides for use. * Associated with auditing and points to the Solaris Audit Policy http://opensolaris.org/os/community/arc/policies/audit-policy/ Solaris Auditing Policy * Pretty much defines what needs to be audited. * Includes details on what makes up an audit record. * Points to the Audit project team for advice * Gives some broad implementation guides.
Best Practices.
http://opensolaris.org/os/community/arc/bestpractices/rbac-intro/ When to use setuid -vs- RBAC roles and profiles * Discusses when to use setuid (forced privileges) and introduces the use or RBAC and its interactions with Solaris. * Historic with historic references. http://opensolaris.org/os/community/arc/bestpractices/rbac-auths/ Adding RBAC Authorizations * How to guide for adding Authorizations to Solaris. http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/ Building RBAC Rights Profiles * How to guide for adding Rights Profiles to Solaris. http://opensolaris.org/os/community/arc/bestpractices/passwords-cli/ Reusable Passwords In Command Line Arguments and Environment Variables * From the Security SWG * Security concerns and guide lines prohibiting exposure of reusable passwords. http://opensolaris.org/os/community/arc/bestpractices/passwords-files/ Storing Reusable Passwords on a Filesystem * From the Security SWG * Security concerns and requirements for protection if/when reusable passwords are stored in the Filesystem.
XWiki Enterprise 2.7.1.34853 - Documentation
Terms of Use
|
Privacy
|
Trademarks
|
Copyright Policy
|
Site Guidelines
|
Site Map
|
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
© 2012, Oracle Corporation and/or its affiliates.