On Thu, 2007-08-30 at 07:52 -0700, Gary Winiger wrote: > The SBD policy requires listening services > be administratively enabled, or listen local only. Non-listening > services (outbound only) may be enabled in the default profile(s).
The SBD policy is higher level than that, while the Install-Time Security policy is more flexible than that. See: http://sac.eng/cgi-bin/bp.cgi?NAME=ITS.bp Quoting: For each service that is created, installed, used, or depended on by the product, there are four ways to achieve secure execution: SVC1 Do not install the components that comprise the service. SVC2 Ensure that the service is never enabled or automatically used by the product itself, during or as a result of installation. (There is no requirement to prevent layered products or post-install administration from enabling or using the service.) SVC3 Ensure that the service is always enabled or automatically used by the product itself in a way that satisfies all of the minimum security requirements specified further below, both during and as a result of installation. (There is no requirement to prevent layered products or post-install administration from enabling or using the service in ways that do not satisfy the minimum security requirements.) SVC4 Ensure that failure to satisfy the minimum security requirements introduces no vulnerabilities or exposures. As you move up this scale, the amount of work needed to comply increases. We're arguing about whether SVC2 or SVC3 is appropriate for this project.
