PSARC Questions Version 1.22
Approved Oct. 2008 (PSARC/2008/625)

The 20 questions outline serves several purposes. One is to present to
the ARC in a uniform manner pertinent information about any case. Many
of the answers to these questions can be direct and specific references
to other case materials (although care must be taken to keep the
references current). A second purpose is to allow an ARC member to get
a concise overview of the case in an efficient manner. Another purpose
is that the 20 questions should provoke thought and questions for
project teams unfamiliar with the ARC process, by asking questions
about aspects of the project that need be considered. Lastly, the 20
questions serves as a vehicle between the case owner and the project
team as an indicator of preparedness. The 20 questions, as do other ARC
materials, remain as documentation of the case plan of record.


1.  What is the proposal being presented for review?

    * Give an overview of the project and its phase(s).
    * Describe the exposure (OpenSolaris), scope and type of review desired
      (overview, full case, etc.)
    * Indicate the release binding requested by the project team. See:
      http://www.opensolaris.org/os/community/arc/policies/release-taxonomy/
    * What are the project's deliverables?
    * How does this project align with existing or proposed ARC cases?

	This project is the umbrella case to document the roadmap for
	reparse points and referrals.  Details are available in
	reparse_umbrella_spec.txt.

    	Patch binding is requested.

	Deliverables will be described in the follow-on projects
	described in reparse_umbrella_spec.txt.

2.  Describe user interactions.

    * Are new user interfaces being proposed, or existing interfaces being
      changed?
    * Explain the similarities in proposed interfaces with existing OS user
      interfaces (Solaris, Linux, Windows, etc.).
    * Are there any install time changes?

	These details will be provided in the follow-on projects
	described in reparse_umbrella_spec.txt.

3.  What are the exported (defined by your project) and imported (defined by
    another project that your project then references) interfaces or protocols
    and their respective stability levels?  See:
    http://www.opensolaris.org/os/community/arc/policies/interface-taxonomy/ 

    * Is there a versioning scheme in place?
    * Has the team secured interface contracts where necessary?
    * Use an ARC prescribed interface table format.

	These details will be provided in the follow-on projects
	described in reparse_umbrella_spec.txt.

4. Describe any dependencies on hardware (e.g. SPARC exclusive), and on other
   projects within Solaris.

	None.

5.  Projects need to be aware of the overall security of the system and how
    their components affect it. Which parts of this project are critical to
    the security of the system to avoid such unintended consequences such
    as unauthorized system entry, unauthorized access to or modification of
    data, elevation of privilege, denial of service, violation of labeled
    security, ...? Does this project require elevated privilege?

	No security impact is envisaged with the addition of
	reparse points or referrals.

    A number of specific policies and practices address various aspects of
    the security of the system. They are found in appendix 1. Which of
    these are applicable to this project, and how are they addressed?

	Details will be provided in the follow-on projects
	described in reparse_umbrella_spec.txt.

6.  Describe means of observing project functionality and performance, by
    an end user or by a system administrator.

	Details will be provided in the follow-on projects described
	in reparse_umbrella_spec.txt.

7.  How does the project deal with faults and interruptions? Initialization
    and restarting?

	Details will be provided in the follow-on projects described 
	in reparse_umbrella_spec.txt.

8.  How does the project interact with Solaris virtualization technologies
    (xVM, LDOMs, zones, Branded zones, SunCluster, etc.)? 

	Details will be provided in the follow-on projects described
	in reparse_umbrella_spec.txt.

9.  Does this project require administration (i.e., configuration or
    management)? If so,

    * How is the project administered, and what sort of review process has
      this user interface undergone?
    * Is there a means of aggregating management and/or configuration with
      other related projects?
    * Does this project deliver its own administration along with the other
      components, or is this project an administration interface for other
      projects?
    * Are there any external (to Solaris) management interfaces to
      consider, or being consumed?

    Projects that require or deliver administrative interfaces are often by
    their nature security components of the system and should likely
    address the security question (#5 above, with attention to RBAC and
    Audit). (See also appendix 2).

	The intent is to use existing administration mechanisms.
        Administration details will be provided in the follow-on
	projects described in reparse_umbrella_spec.txt.
    
10. Have you reviewed the Policies and Best Practices? Are there any
    exceptions this project needs? See
    
    http://www.opensolaris.org/os/community/arc/policies/
    http://www.opensolaris.org/os/community/arc/bestpractices/

	No exceptions have been identified for this project.

Appendix 1. Security references

    Plugable Authentication Modules

    http://opensolaris.org/os/community/arc/policies/PAM/

    Audit Policy

    http://opensolaris.org/os/community/arc/policies/audit-policy/

    Service Management Facility (SMF) usage

    http://opensolaris.org/os/community/arc/policies/SMF-policy/

    Install-Time Security

    http://opensolaris.org/os/community/arc/policies/ITS/

    Network Install-Time Security

    http://opensolaris.org/os/community/arc/policies/NITS-policy/

    Secure - by - Default

    http://opensolaris.org/os/community/arc/policies/secure-by-default/

    When to use setuid -vs - RBAC roles and profiles

    http://opensolaris.org/os/community/arc/bestpractices/rbac-intro/

    Building RBAC Rights Profiles

    http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/

    Adding RBAC Authorizations

    http://opensolaris.org/os/community/arc/bestpractices/rbac-auths/

    Reusable Passwords in Command Line Arguments and Environment Variables

    http://opensolaris.org/os/community/arc/bestpractices/passwords-cli/

    Storing Reusable Passwords on a FileSystem

    http://opensolaris.org/os/community/arc/bestpractices/passwords-files/

    Administrative and Security Precedents and Policies

    http://opensolaris.org/os/community/arc/bestpractices/overview-admin-security/

    Security Questions

    http://opensolaris.org/os/community/arc/bestpractices/security-questions/

    Labeled Security:

    http://en.wikipedia.org/wiki/Multilevel_security

    See also PSARC/2002/762 Layered Trusted Solaris

    http://arc.opensolaris.org/caselog/PSARC/2002/762

Appendix 2. Administrative access and control

    RBAC (Role Based Access Control): 

    See PSARC/1997/332 Execution Profiles for Restricted Environments

    http://arc.opensolaris.org/caselog/PSARC/1997/332

    Privilege:

    See PSARC/2002/188 Least Privilege for Solaris

    http://arc.opensolaris.org/caselog/PSARC/2002/188

Appendix 3. Policies and Best Practices references

    http://www.opensolaris.org/os/community/arc/policies/

    http://www.opensolaris.org/os/community/arc/bestpractices/