Re: Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC
From: Drew Simonis (simonis_at_myself.com)
Date: 03/20/05
- Previous message: valken: "Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC"
- Maybe in reply to: valken: "Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC"
- Next in thread: Darren J Moffat: "Re: Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC"
- Reply: Darren J Moffat: "Re: Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: valken <valken007@yahoo.com>, focus-sun@securityfocus.com Date: Sat, 19 Mar 2005 18:57:01 -0500
First, good luck. These are often more culturally difficult
than technically. I haven't used RBAC or facl's in anger yet,
but have been a BSM user on and off for some time. Tuning the
audit criteria is something that can't really be done in
isolation. You really need to evaluate what events can be
recorded, and who would be the consumer of that data. I've
found it necessary to have a plan of what is to be done with
the data as a means to justify the collection, since the load
can be non-trivial, and the data geberated substantial. If you
just collect it because you can, then you are clearly doing half
of what can be done, and the cost probably outweighs the benefit.
Once you decide "collecting X will enable us to do Y, and we will
take Z action upon the recording of X event" you may find that you
have more to-do's than you have do'ers. Maybe I'm looking on the
grim side again, but BSM is often like Pandora's box. Unless you
have the necessary resources to deal with the firehose (technical,
e.g., data storage and a plan for processing the audit results and
procedural, e.g., what to do when X happens, and personel, e.g., who
will do it) the you might be setting yourself up for failure.
----- Original Message -----
From: valken <valken007@yahoo.com>
To: focus-sun@securityfocus.com
Subject: Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC
Date: Fri, 18 Mar 2005 15:46:11 -0500
>
> All,
>
> I'm currently working on enhancing my company's Solaris standards. We are a
> major accounting and professional services firm, and are involved in many
> reviews of Solaris security from both audit and consulting perspectives.
> There are many areas that I am in the process of testing and incorporating
> into our methodology for these reviews, including BSM, extended ACLs and
> RBAC.
>
> Most of the clients that I work with are not currently using any of these
> functionalities in their Solaris environments. I would be curious to hear
> from anyone out there who is:
>
> - using BSM to audit activities on their Solaris servers, including what
> your experience was with tuning it to balance the detail of the audit trail
> with the sheer amount of events it can generate,
>
> - using extended ACLs to provide fine-grained access controls to files or
> directories, or
>
> - using RBAC to split up the power of the root account.
>
>
>
> Thanks,
>
>
>
> Valken
>
>
>
> Valken007@yahoo.com
- Previous message: valken: "Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC"
- Maybe in reply to: valken: "Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC"
- Next in thread: Darren J Moffat: "Re: Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC"
- Reply: Darren J Moffat: "Re: Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
