Go to main content

man pages section 7: Standards, Environments, Macros, Character Sets, and Miscellany

Exit Print View

Updated: Wednesday, August 8, 2018
 
 

sstore-security (7)

Name

sstore-security - Security attributes of statistics and events

Description

By default, statistics and events are visible and capturable by all users.

However, there are a few scenarios that require more specific RBAC authorizations.

Statistics might need to be marked as sensitive. This means that reading them is security-relevant. For example, cryptography-related statistics.

Statistics may be marked with their expense to capture. Many statistics have no impact on the system. However, some statistics require more invasive techniques, such as DTrace scripts, which might impact the performance of a system. Such statistics are marked as expensive, and require additional authorizations to capture.

Reading a sensitive statistic or event

The client must have the solaris.sstore.read.sensitive authorization or must be an sstore-authorized-user(7) for a read-sensitive operation for the given ssid.

Recording a sensitive statistic or event

The client must have the solaris.sstore.capture.sensitive authorization or must be an sstore-authorized-user(7) for a capture-sensitive operation for the given ssid.

Recording an expensive statistic or event

The client must have the solaris.sstore.capture.expensive authorization or must be an sstore-authorized-user(7) for a capture-expensive operation for the given ssid.

Providing statistics or events

The client must have the solaris.sstore.write authorization or must be an sstore-authorized-user(7) for a write operation for the given ssid.

Adding or removing a resource to the namespace

The client must have the solaris.sstore.update.res authorization or must be an sstore-authorized-user(7) for an update_res operation for the given ssid.

Purging statistic or event data

The client must have the solaris.sstore.delete authorization or must be an sstore-authorized-user(7) for a delete operation for the given ssid.

Updating Statistic store configuration

The client must have the solaris.sstore.configure authorization or must be an sstore-authorized-user(7) for a configuration operation for the given ssid.

RBAC Profiles

The authorizations to view and manage statistics are made available in the following RBAC profiles:

Stat Store Read All Profile

Reads all statistics

System Observability Profile

Contains the Stat Store Read All profile

Stat Store Management Profile

Reads and manages all statistics

System Administration Profile

Contains the Stat Store Management profile

Examples

Example 1 Viewing the expensive Attribute of an ssid

The following example displays the expensive attribute of an ssid.

$ sstore info //:class.dtrace//:res.net//:stat.ip_bytes

     Identifier: //:class.dtrace//:res.net//:stat.ip_bytes
     description: ip network traffic in bytes
     type: counter
     units: bytes
     expensive: True
     partitions: hostname
     partitions: protocol
     partitions: direction
     partitions: application
  

The expensive field in the example specifies that the given statistics is expensive. If the expensive field is absent, then the given stat is assumed to be non-expensive.

See Also

auths(1), sstore(1), libsstore(3LIB), sstore.json(5), ssid(7), ssid-metadata(7), sstore(7), sstore-authorized-user(7), sstoreadm(1)