Thanks to: Francisco Christopher McNabb Florian Laws Angela.M.Burroughs Brad_Morrison Chris Ruhnke Michael Maciolek JV711 My original post was: "We have a security auditor coming here soon that requests read only access to every single file in two of our systems. What is the best way to give full read only access to this auditor? Is there a special file or command for this? I also thought of maybe creating a user with a UID of 0 and creating an RBAC role that will give him only access to commands like cat, cd, ls. But even then he could make a mistake and cat something > /etc/passwd or anything like that." The best solution I've seen comes from francisco and was to give certain RBAC privileges to the user: usermod -K defaultpriv=basic,file_dac_read,file_dac_search <username> However I'm using Solaris 8 and RBAC wasn't developed enough at that time to support those privileges. The command above would work in Solaris 10, and maybe in the Trusted Solaris 8 environment. Another good solution that I received from many was to share my filesystems with NFS and mount them as read only on a third machine. Lastly, other possibilities such as giving the information to the auditor piece by piece as he requests it. Thank you all for this. David Coronel Administrateur de Systhmes UNIX Meloche Monnex Phone: (514) 385-2222 ext:3439 Fax: (514) 385-2173 Mailto: david.coronel@melochemonnex.com -----Original Message----- From: JV [mailto:jv711@yahoo.com] Sent: Thursday, May 11, 2006 12:54 PM To: Coronel, David Subject: Re: How to give full read only access to an external auditor There is no safe way with a UID of 0. It is best to provide each file the auditor wants on a case-by-case basis. Otherwise YOU have violated Sarbanes-Oxley and HIPPA requirements by giving a person you do not supervise or control, root access. good luck JV711 Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ----------------------------------------- AVIS DE CONFIDENTIALITE Ce courriel, ainsi que tout renseignement ci-inclus, destini uniquement au(x) destinataire(s) susmentionni(s), est confidentiel. Si vous n'jtes pas le destinataire privu ou un agent responsable de la livraison de ce courriel, tout examen, divulgation, copie, impression, reproduction, distribution ou autre utilisation de toute partie de ce courriel est strictement interdit de mjme que toute action ou manquement ` l'igard de celui-ci. Si vous avez regu ce message par erreur ou sans autorisation, veuillez en aviser immidiatement l'expiditeur par retour de courriel ou par un autre moyen et supprimez immidiatement et entihrement cette communication de tout systhme ilectronique. NOTICE OF CONFIDENTIALITY This communication, including any information transmitted with it, is intended only for the use of the addressee(s) and is confidential. If you are not an intended recipient or responsible for delivering the message to an intended recipient, any review, disclosure, conversion to hard copy, dissemination, reproduction or other use of any part of this communication is strictly prohibited, as is the taking or omitting of any action in reliance upon this communication. If you receive this communication in error or without authorization please notify us immediately by return e-mail or otherwise and permanently delete the entire communication from any computer, disk drive, or other storage medium. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Thu May 11 14:22:28 2006
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:58 EST