sstore-security - Security attributes of statistics and events
By default, statistics and events are visible and capturable by all users.
However, there are a few scenarios that require more specific RBAC authorizations.
Statistics might need to be marked as sensitive. This means that reading them is security-relevant. For example, cryptography-related statistics.
Statistics may be marked with their expense to capture. Many statistics have no impact on the system. However, some statistics require more invasive techniques, such as DTrace scripts, which might impact the performance of a system. Such statistics are marked as expensive, and require additional authorizations to capture.
The client must have the solaris.sstore.read.sensitive authorization or must be an sstore-authorized-user(7) for a read-sensitive operation for the given ssid.
The client must have the solaris.sstore.capture.sensitive authorization or must be an sstore-authorized-user(7) for a capture-sensitive operation for the given ssid.
The client must have the solaris.sstore.capture.expensive authorization or must be an sstore-authorized-user(7) for a capture-expensive operation for the given ssid.
The client must have the solaris.sstore.write authorization or must be an sstore-authorized-user(7) for a write operation for the given ssid.
The client must have the solaris.sstore.update.res authorization or must be an sstore-authorized-user(7) for an update_res operation for the given ssid.
The client must have the solaris.sstore.delete authorization or must be an sstore-authorized-user(7) for a delete operation for the given ssid.
The client must have the solaris.sstore.configure authorization or must be an sstore-authorized-user(7) for a configuration operation for the given ssid.
The authorizations to view and manage statistics are made available in the following RBAC profiles:
Reads all statistics
Contains the Stat Store Read All profile
Reads and manages all statistics
Contains the Stat Store Management profile
The following example displays the expensive attribute of an ssid.
$ sstore info //:class.dtrace//:res.net//:stat.ip_bytes Identifier: //:class.dtrace//:res.net//:stat.ip_bytes description: ip network traffic in bytes type: counter units: bytes expensive: True partitions: hostname partitions: protocol partitions: direction partitions: application
The expensive field in the example specifies that the given statistics is expensive. If the expensive field is absent, then the given stat is assumed to be non-expensive.
auths(1), sstore(1), libsstore(3LIB), sstore.json(5), ssid(7), ssid-metadata(7), sstore(7), sstore-authorized-user(7), sstoreadm(1)