SUMMARY: How to give full read only access to an external auditor

From: Coronel, David <>
Date: Thu May 11 2006 - 14:21:35 EDT
Thanks to:
Christopher McNabb
Florian Laws
Chris Ruhnke
Michael Maciolek

My original post was:
"We have a security auditor coming here soon that requests read only access to
every single file in two of our systems. What is the best way to give full
read only access to this auditor? Is there a special file or command for this?
I also thought of maybe creating a user with a UID of 0 and creating an RBAC
role that will give him only access to commands like cat, cd, ls. But even
then he could make a mistake and cat something > /etc/passwd or anything like

The best solution I've seen comes from francisco and was to give
certain RBAC privileges to the user:
usermod -K
defaultpriv=basic,file_dac_read,file_dac_search <username>

However I'm
using Solaris 8 and RBAC wasn't developed enough at that time to support those
privileges. The command above would work in Solaris 10, and maybe in the
Trusted Solaris 8 environment.

Another good solution that I received from
many was to share my filesystems with NFS and mount them as read only on a
third machine.

Lastly, other possibilities such as giving the information
to the auditor piece by piece as he requests it.

Thank you all for this.
David Coronel
Administrateur de Systhmes UNIX
Meloche Monnex
Phone: (514)
385-2222 ext:3439
Fax: (514) 385-2173

-----Original Message-----
From: JV
Sent: Thursday, May 11, 2006 12:54 PM
To: Coronel,
Subject: Re: How to give full read only access to an external auditor
There is no safe way with a UID of 0.

It is best to provide each file the
auditor wants on a case-by-case basis. Otherwise YOU have violated
Sarbanes-Oxley and HIPPA requirements by giving a person you do not supervise
or control, root access.

good luck
Tired of
spam?  Yahoo! Mail has the best spam protection around
Ce courriel, ainsi que tout renseignement ci-inclus, destini
uniquement au(x)
destinataire(s) susmentionni(s),  est
confidentiel.  Si vous n'jtes pas le
destinataire privu ou un
agent responsable de la livraison de ce courriel,
tout examen,
divulgation, copie, impression, reproduction, distribution ou
utilisation de toute partie de ce courriel est strictement interdit
mjme que toute action ou manquement ` l'igard de celui-ci.
Si vous avez regu
ce message par erreur ou sans autorisation,
veuillez en aviser immidiatement
l'expiditeur par retour de
courriel ou par un autre moyen et supprimez
immidiatement et
entihrement cette communication de tout systhme


This communication, including
any information transmitted with it,
is intended only for the use of the
addressee(s) and is
confidential.  If you are not an intended recipient or
for delivering the message to an intended recipient, any review,
disclosure, conversion to hard copy, dissemination, reproduction or
other use
of any part of this communication is strictly prohibited,
as is the taking or
omitting of any action in reliance upon this
communication.  If you receive
this communication in error or
without authorization please notify us
immediately by return e-mail
or otherwise and permanently delete the entire
communication from
any computer, disk drive, or other storage medium.
sunmanagers mailing list
Received on Thu May 11 14:22:28 2006

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:58 EST