This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Network Security for the Systemtap Client/Server


> Authentication of clients is also possible although may not be necessary.
> The systemtap server is simply compiling the provided scripts and is not
> returning any information which could not be obtained using the resources
> used to perform the compilation. These resources (kernel version and
> debuginfo, systemtap itself) are already widely available.
> **** Comments? concerns? suggestions? ***

One can imagine a compiling server having available local private kernel
builds whose internal layout details someone's policy might consider
security-sensitive.  Leave the policy on authentication requirements to the
local admins to choose.  Just make out-of-the-box defaults be easy to use
without infrastructure set-up even when that means less stringent security
policies than a concerned admin could configure.

Also, keep in mind the long-run need to mesh with sophisticated key
management infrastructure a particular installation might have and want to
use it (be required by local security regulations) for everything crypto.
I'm not suggesting you dwell on this especially while just getting
something going for casual set-up and use.  Probably any implementation
that can be scripted around somehow using NSS command line tools will fully
meet that requirement down the line without much trying.  But keep it in my
in the approaches taken and how accessible the system is to configuration
of how keys are acquired and used, etc.


Thanks,
Roland


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]