Wyllys Ingersoll wrote: >>> Other lesser concerns include: >>> * The spec's frequent use of "A user" for performing configuration. >>> * The introduction of new /etc files that seem security relevant >>> with no auditable administrative interface. (See the Solaris >>> Audit policy: >>> http://opensolaris.org/os/community/arc/policies/audit-policy/) >>> > > Is it common that we impose our auditing policies on all open source > based projects for administering configuration files? We have lots of > configuration files that have security implications that do not have > auditable admin interfaces - ssh_config, sshd_config, krb5.conf, > kdc.conf, just to name a few.
Gary - How does a project satisfy this requirement? Suppose my project "foo" introduces a new file in /etc that is deemed to be security related. Beside the facilities already provided by Solaris auditing, what additional work should I do to track edits by vi, vim, etc? - Bart -- Bart Smaalders Solaris Kernel Performance barts at cyber.eng.sun.com http://blogs.sun.com/barts "You will contribute more with mercurial than with thunderbird."
