Xref: utzoo comp.unix.programmer:1313 alt.sources.d:1617 Path: utzoo!news-server.csri.toronto.edu!utgpu!cs.utexas.edu!chinacat!sequoia!rpp386!jfh From: jfh@rpp386.cactus.org (John F Haugh II) Newsgroups: comp.unix.programmer,alt.sources.d Subject: Re: C2 secure systems and the superuser Message-ID: <19104@rpp386.cactus.org> Date: 14 Mar 91 13:13:24 GMT References: <19101@rpp386.cactus.org> <1991Mar13.042033.12450@convex.com> <19103@rpp386.cactus.org> <1991Mar13.185609.21132@convex.com> Reply-To: jfh@rpp386.cactus.org (John F Haugh II) Organization: Lone Star Cafe and BBS Service Lines: 47 X-Clever-Slogan: Recycle or Die. In article <1991Mar13.185609.21132@convex.com> tchrist@convex.COM (Tom Christiansen) writes: >I'm not here to have a good laugh at anybody, including SecureWare. I >just want to point out that the C2 security stuff I've seen applied to >UNIX has some fundamental problems in its approach. Breaking up the >superuser into small compartments that each do a few very powerful things >isn't enough if you're not very very very very careful. I haven't yet >seen any that are that careful. Well, I think it is very important to expose fraud whereever it is found. Part of the concept behind the TCSEC and the NCSC is that we trust the NCSC to properly apply the criteria described in the TCSEC so that the criteria have some meaning. What companies such as SecureWare are doing is to take a meaningful collection of criteria and announce, without proof, that they adhere to these well defined criteria. Naive users do not fully understand what the difference between a "rated" and an "unrated" system are - there are very real differences and SecureWare is clouding them up. Notice how quiet SecureWare is? They =are= on the net, and yet they do not get engaged in this discussion because their behavior is =unethical=. The mistake was on the part of the NCSC. Just as the Motion Picture Assoc. should have "trademarked" or whatever the "X" rating, so should the NCSC have "trademarked" the "C2" rating. To continue with the real topic, "C2" is not that "secure" of a rating. If you expect the system to warn you of auditable events which might indicate a violation of the security policy you have to go to a higher level. The only rating level between "C2" and MS-DOS is "C1". There are still 3 "B" levels and an "A" level above "C2". The description of "C2" is "Systems in this class enforce a more finely grained discretionary access control than (C1) systems, making users individually accountable for their actions through login procedures, auditing of security- relevant events, and resource isolation." What you are expecting "C2" to do isn't even a part of "C2". You probably want "B2" or possibly "B3". As long as the system audits everything the "auth" or "sysadmin" user is doing, including that they turned off auditing or whatever, it has fulfilled the "C2" criteria. -- John F. Haugh II | Distribution to | UUCP: ...!cs.utexas.edu!rpp386!jfh Ma Bell: (512) 832-8832 | GEnie PROHIBITED :-) | Domain: jfh@rpp386.cactus.org "I've never written a device driver, but I have written a device driver manual" -- Robert Hartman, IDE Corp.