[Security_sig] section 2.2 review

Mary Edie Meredith maryedie at osdl.org
Wed Sep 14 18:06:14 PDT 2005


Something to review for tomorrow's discussion:


Continuing on the review of the capabilities document, and the server
descriptions have been reviewed, next section is the following:


 2.2 Organizational Security Policies
[INCOMPLETE]
Data Center Linux servers will need to support a wide range of
organizational security policies, but there are a few policies that are
likely to be universally required to be supported.
P.AUTHORIZED_USERS – Only those users who have been authorized to access
information within the system may access the system. <Note – this DOES
allow for there to be information publicly available to unauthenticated
users, in which case those anonymous users DO have authorization to
access THAT information.>
P.NEED_TO_KNOW – The system must limit the access to, modification of,
and destruction of the information in protected resources to those
authorized users which have a “need to know” for that information.
P.ACCOUNTABILITY_USER – The users of the system shall be held
accountable for their actions within the system.  <Note – this implies
that anonymous, or unauthenticated users, must have access ONLY to read
publicly available information, and not to modify or destroy
information, or otherwise consume resources, for which they cannot be
held accountable. >
P.ACCOUNTABILITY_ADMIN – The administrators of the system shall be held
accountable for their administration and configuration actions within
the system. <Note – this implies that administration of the audit
subsystem must be separable from administration of the rest of the
system>
P.LEAST_PRIVILEGE – The users, administrators and their agents (services
and applications on information systems) shall, in so far as possible,
perform their duties while having the least set of privileges necessary
and sufficient to do their job or their specific task.


-- 
Mary Edie Meredith
Initiative Manager
Open Source Development Labs
maryedie at osdl.org
503-906-1942




More information about the security_sig mailing list