On Wed, Mar 26, 2008 at 10:48:32AM -0700, Bart Smaalders wrote: > Wyllys Ingersoll wrote: > >>>Other lesser concerns include: > >>> * The spec's frequent use of "A user" for performing configuration. > >>> * The introduction of new /etc files that seem security relevant > >>> with no auditable administrative interface. (See the Solaris > >>> Audit policy: > >>> http://opensolaris.org/os/community/arc/policies/audit-policy/) > >>> > > > >Is it common that we impose our auditing policies on all open source > >based projects for administering configuration files? We have lots of > >configuration files that have security implications that do not have > >auditable admin interfaces - ssh_config, sshd_config, krb5.conf, > >kdc.conf, just to name a few. > > Gary - > > How does a project satisfy this requirement? Suppose my project > "foo" introduces a new file in /etc that is deemed to be security > related. Beside the facilities already provided by Solaris auditing, > what additional work should I do to track edits by vi, vim, etc?
I think the answer is: include a CLI for administering the configuration.
