Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!clyde.concordia.ca!uunet!mailrus!purdue!haven!adm!smoke!gwyn
From: gwyn@smoke.BRL.MIL (Doug Gwyn)
Newsgroups: comp.unix.questions
Subject: Re: UNIX logging question.
Message-ID: <11772@smoke.BRL.MIL>
Date: 8 Dec 89 02:31:57 GMT
References: <3259@hub.UUCP>
Reply-To: gwyn@brl.arpa (Doug Gwyn)
Organization: Ballistic Research Lab (BRL), APG, MD.
Lines: 17

In article <3259@hub.UUCP> harald@apple.ucsb.edu (Ommang) writes:
>If you enter a nonexisting login id or an incorrect password, is this
>logged somewhere in a file / to a system console ? (I sure hope so, ..

You seem to think that this would be a security advantage,
but it can act quite to the contrary when people's passwords
are printed out (with small, usually readily identifiable, typos).

In fact, many systems DO log "Bad Login Attempts", but they should
do this only into a secure file, not to the console.

>Also, Gary Grossman in "How Secure is Secure", UNIX Review Aug '86,
>concludes that UNIX does not quite make it to a C2 NCSC rating.

Gould UTX-32S was rated C1.
UNIX System V/MLS is rated B2, I believe.
I think there are other NTSC-rated flavors of UNIX.