Friday, December 16, 2005

Zone console access control and auditing

(1) If it is ok to have a proxy authentication for zlogin or rzlogin
ex, I have a management host tries to zone login for data collection
It may requires some level of privilege (RBAC) to execute some
task and access some resources such as utility and host resource
and some level a data sampling to be done too. Can we have zlogin
with a normal Solaris User and after login to it can own the ACL
for the designated proxy user's privilege. I know extra "su" can
work some time, can it be more automatic and robust fashion ? If
not what are the concerns ?
(2) Can we specify the login session limits so that we can pro actively
assess the hacking cases. So what I mean to have a policy based
restricition so that server can control the session duration.
(3) Can we categorize the configuration related scripts or meta data file
into one central realm for easy of deployment and control instead of
multiple of twinks
(4) Can we have account locking policy in case of times of exceeding retry?

(5) svc based login and per zone based auditing


These may not only for zlogin and rzlogin only, but if it is integrated, it can
be more manageable and auditable in production.

No comments: