Re: Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC

From: benjamin brumaire (benjamin_at_brumaire.biz)
Date: 03/21/05

  • Next message: Darren J Moffat: "Re: Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC"
    Date: Mon, 21 Mar 2005 06:41:33 +0100
    To: focus-sun@securityfocus.com
    
    

    Regarding BSM you can start with the blueprint configuration and
    optimize it with some statistical works over your logfiles. For me, the
    real challenge is managing the logfiles and analysing it. Transforming a
    lot of raw data into added value is a long hard process. Solaris 10
    helps in both situation with syslog integration and XML format.
    Companies like ISS or SRI provides some help and should be considered.
    Of course, if your have an accurate idea of what you are looking for,
    some perl scripting could do the job.

    RBAC could help a lot in Solaris only environment. Management should be
    centralized to prevent a sysadmin and audit nightmare . Just the one you
    will get with sudo.

    I never saw extended ACL in production environment.

    To be honest, exept a handful projects where this tools were used,
    overall acceptance is quiet low. Ease of use and an unclear business
    value prohibit a wide usage. Sectools like this should be enable by
    default, solaris should use his own mechanisms better (autorizations,
    ppriv, ...) and better support for all the management issues should be
    provide.

    regards
    Benjamin

    valken schrieb:

    >All,
    >
    >I'm currently working on enhancing my company's Solaris standards. We are a
    >major accounting and professional services firm, and are involved in many
    >reviews of Solaris security from both audit and consulting perspectives.
    >There are many areas that I am in the process of testing and incorporating
    >into our methodology for these reviews, including BSM, extended ACLs and
    >RBAC.
    >
    >Most of the clients that I work with are not currently using any of these
    >functionalities in their Solaris environments. I would be curious to hear
    >from anyone out there who is:
    >
    >- using BSM to audit activities on their Solaris servers, including what
    >your experience was with tuning it to balance the detail of the audit trail
    >with the sheer amount of events it can generate,
    >
    >- using extended ACLs to provide fine-grained access controls to files or
    >directories, or
    >
    >- using RBAC to split up the power of the root account.
    >
    >
    >
    >Thanks,
    >
    >
    >
    >Valken
    >
    >
    >
    >Valken007@yahoo.com
    >
    >
    >
    >
    >
    >


  • Next message: Darren J Moffat: "Re: Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC"

    Relevant Pages

    • Re: Experiences using enhanced Solaris features: BSM, extended ACLs, RBAC
      ... but BSM is often like Pandora's box. ... data storage and a plan for processing the audit results and ... Subject: Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC ...
      (Focus-SUN)
    • Re: IDS Error - VP Notify
      ... I've just had the same problem, but with a solaris ... Solaris patch information for the IBM Informix Dynamic Server ... Location of Shared Memory ... Configuring the Operating System Audit Subsystem: ...
      (comp.databases.informix)
    • Solaris 10 BSM Auditing help
      ... I am new to Solaris 10 and I am seeking some assistance with the ... following auditing configuration in Solaris 10. ... I would like to know if it is possible to edit the audit classes ...
      (comp.security.unix)
    • Solaris 10 BSM Auditing help
      ... I am new to Solaris 10 and I am seeking some assistance with the ... following auditing configuration in Solaris 10. ... I would like to know if it is possible to edit the audit classes ...
      (comp.unix.solaris)
    • Solaris 10 BSM Auditing help
      ... I am new to Solaris 10 and I am seeking some assistance with the ... following auditing configuration in Solaris 10. ... I would like to know if it is possible to edit the audit classes ...
      (comp.sys.sun.admin)