Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utgpu!water!watmath!clyde!rutgers!husc6!seismo!mimsy!aplcen!osiris!mjr
From: mjr@osiris.UUCP
Newsgroups: comp.unix.wizards
Subject: Re: UNIX classified operation
Message-ID: <1191@osiris.UUCP>
Date: Fri, 19-Jun-87 14:04:52 EDT
Article-I.D.: osiris.1191
Posted: Fri Jun 19 14:04:52 1987
Date-Received: Sat, 20-Jun-87 10:02:55 EDT
References: <175@uw-apl.UUCP> <8737@tekecs.TEK.COM>
Organization: Johns Hopkins Hospital
Lines: 44
Keywords: UNIX, classified, DoD, audit
Summary: braindead.

In article <8737@tekecs.TEK.COM>, snoopy@doghouse.gwd.tek.com (Snoopy) writes:
> In article <175@uw-apl.UUCP> cel@uw-apl.UUCP (Curtis Lacy) writes:
> 
> >New DoD requirements for classified computing require that we provide
> >an audit trail from which they can reconstruct all "actions to open, close,
> >create and destroy classified files"

> To do this right, forget about the utilities, and put logging into
> the kernel for the various system calls, e.g. open(2), close(2), etc.
> Otherwise, someone could bypass the audit by writing their own version.
> You would probably want the UID, the pathname, and a timestamp, possibly
> other things.  You'll need some way to distinguish between classified
> files and non-classified files, to keep the volume of the log down.

In UNIX it's much too easy to fake that kind of thing out, though. 
Suppose I break into Ollie North's home directory and tar(1) it all
to a file in my home directory. That logs one open(2) call for each
file, and one open() call for the creation of the file in my home
dir. Now, however, I have *one* file that is really an unknown
number of classified files. Any further operations performed on it
will seem to be working on one file.

Obviously, the above example is a braindead example off the top of
my head (the pointy part), but you get the idea. It's too easy to
mess up your tracks as far as what you're doing and where.
"cat OlliesFile | tee output" would let me read a file while appearing
to only make a copy of it to disk. I did 2 open(2) and 2 close(2),
and that's it, since the standard input is always open. 

You'd maybe have to keep track of all the devices/files open for
read/write by the particular user at the time of access, as well as
the number of bytes (ignoring compression) written to those devices.
You could also have the shell explicitly open the standard file
descriptors *EVERY* time you write to the tty.

I suppose telling the spooks to go play cowboys&indians somewhere
where they know what they're talking about is too idealistic ?

--mjr();
-- 
If they think you're crude, go technical; if they think you're technical,
go crude. I'm a very technical boy. So I get as crude as possible. These
days, though, you have to be pretty technical before you can even aspire
to crudeness...         -Johnny Mnemonic