Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Sun
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Experiences using 'enhanced' Solaris features: BSM, extended ACLs

from [Drew Simonis] Network Security [Permanent Link]
Subject: Re: Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC
Date: Sat, 19 Mar 2005 18:57:01 -0500 
First, good luck.  These are often more culturally difficult
than technically.  I haven't used RBAC or facl's in anger yet,
but have been a BSM user on and off for some time.  Tuning the 
audit criteria is something that can't really be done in 
isolation.  You really need to evaluate what events can be 
recorded, and who would be the consumer of that data.  I've 
found it necessary to have a plan of what is to be done with 
the data as a means to justify the collection, since the load
can be non-trivial, and the data geberated substantial.  If you
just collect it because you can, then you are clearly doing half
of what can be done, and the cost probably outweighs the benefit.

Once you decide "collecting X will enable us to do Y, and we will 
take Z action upon the recording of X event" you may find that you 
have more to-do's than you have do'ers.  Maybe I'm looking on the 
grim side again, but BSM is often like Pandora's box.  Unless you
have the necessary resources to deal with the firehose (technical, 
e.g., data storage and a plan for processing the audit results and 
procedural, e.g., what to do when X happens, and personel, e.g., who
will do it) the you might be setting yourself up for failure.  



----- Original Message -----
From: valken <valken007@yahoo.com>
To: focus-sun@securityfocus.com
Subject: Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC
Date: Fri, 18 Mar 2005 15:46:11 -0500



All,

I'm currently working on enhancing my company's Solaris standards.  We are a
major accounting and professional services firm, and are involved in many
reviews of Solaris security from both audit and consulting perspectives.
There are many areas that I am in the process of testing and incorporating
into our methodology for these reviews, including BSM, extended ACLs and
RBAC.

Most of the clients that I work with are not currently using any of these
functionalities in their Solaris environments.  I would be curious to hear
from anyone out there who is:

- using BSM to audit activities on their Solaris servers, including what
your experience was with tuning it to balance the detail of the audit trail
with the sheer amount of events it can generate,

- using extended ACLs to provide fine-grained access controls to files or
directories, or

- using RBAC to split up the power of the root account.



Thanks,



Valken



Valken007@yahoo.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC, valken
Next by Date:  Re: Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC, Darren J Moffat
Previous by Thread:  Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC, valken
Next by Thread:  Re: Experiences using 'enhanced' Solaris features: BSM, extended ACLs, RBAC, Darren J Moffat
Indexes:  [Date] [Thread] [Top] [All Lists]