20 Questions # 5 update [PSARC/2009/179 FastTrack timeout 03/25/2009]

Tim Haley tim.haley at sun.com
Wed Mar 18 11:47:21 PDT 2009 

Gary Winiger wrote:
> At PSARC business today, we discussed a change to question 8 to prompt
> project teams to consider not only if they run in zones, but also if
> they affect Branded zones.   Some of the motivation for adding
> "Branded zones" came from a question from the security group as to how
> to cover taking into account Trusted Extensions (TX).
> 
> It was suggested that something also be added to the security question #5.
> I've created this case to capture my initial proposals and any conversation.
> 
> I'd like to receive input in a bounded time, so I've set a timer for
> 25 Mar, 2009.
> 
> Thanks,
> Gary..
> 
> ===============================================================================
> Proposal 1:
> 
>  5.  Projects need to be aware of the overall security of the system and how
>      their components affect it. Which parts of this project are critical to
>      the security of the system to avoid such unintended consequences such
>      as unauthorized system entry, unauthorized access to or modification of
>      data, elevation of privilege, denial of service, ...? Does this project
> -    require elevated privilege?
> +    require elevated privilege?  Does the project interact with or affect
> +    Solaris Trusted Extensions (TX)?
>      

The question that comes to my mind is - would I know if my project affects TX? 
  I've never run TX, and I imagine I'm not alone in that.  Same for labeled 
security.

-tim

>      A number of specific policies and practices address various aspects of
>      the security of the system. They are found in appendix 1. Which of
>      these are applicable to this project, and how are they addressed?
> 
> Proposal 2:
> 
>  5.  Projects need to be aware of the overall security of the system and how
>      their components affect it. Which parts of this project are critical to
>      the security of the system to avoid such unintended consequences such
>      as unauthorized system entry, unauthorized access to or modification of
> -    data, elevation of privilege, denial of service, ...? Does this project
> +    data, elevation of privilege, denial of service, violation of labeled
> +    security, ...? Does this project
>      require elevated privilege?
>      
>      A number of specific policies and practices address various aspects of
>      the security of the system. They are found in appendix 1. Which of
>      these are applicable to this project, and how are they addressed?
>

More information about the opensolaris-arc mailing list