[kmf-discuss] restart of PSARC/2006/283 Certificate & PKCS#11 PAM module
Nicolas Williams
Nicolas.Williams at sun.com
Thu Apr 3 13:38:36 PDT 2008
On Wed, Mar 26, 2008 at 10:48:32AM -0700, Bart Smaalders wrote:
> Wyllys Ingersoll wrote:
> >>>Other lesser concerns include:
> >>> * The spec's frequent use of "A user" for performing configuration.
> >>> * The introduction of new /etc files that seem security relevant
> >>> with no auditable administrative interface. (See the Solaris
> >>> Audit policy:
> >>> http://opensolaris.org/os/community/arc/policies/audit-policy/)
> >>>
> >
> >Is it common that we impose our auditing policies on all open source
> >based projects for administering configuration files? We have lots of
> >configuration files that have security implications that do not have
> >auditable admin interfaces - ssh_config, sshd_config, krb5.conf,
> >kdc.conf, just to name a few.
>
> Gary -
>
> How does a project satisfy this requirement? Suppose my project
> "foo" introduces a new file in /etc that is deemed to be security
> related. Beside the facilities already provided by Solaris auditing,
> what additional work should I do to track edits by vi, vim, etc?
I think the answer is: include a CLI for administering the
configuration.
More information about the kmf-discuss
mailing list