Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!rutgers!mit-eddie!uw-beaver!tektronix!orca!tekecs!doghouse!snoopy
From: snoopy@doghouse.gwd.tek.com (Snoopy)
Newsgroups: comp.unix.wizards
Subject: Re: UNIX classified operation
Message-ID: <8737@tekecs.TEK.COM>
Date: Thu, 18-Jun-87 13:55:34 EDT
Article-I.D.: tekecs.8737
Posted: Thu Jun 18 13:55:34 1987
Date-Received: Sun, 21-Jun-87 17:31:32 EDT
References: <175@uw-apl.UUCP>
Sender: nobody@tekecs.TEK.COM
Reply-To: snoopy@doghouse.gwd.tek.com (Snoopy)
Organization: The Daisy Hill Puppy Farm
Lines: 23
Keywords: UNIX, classified, DoD, audit

In article <175@uw-apl.UUCP> cel@uw-apl.UUCP (Curtis Lacy) writes:

>New DoD requirements for classified computing require that we provide on demand
>an audit trail from which they can reconstruct all "actions to open, close,
>create and destroy classified files", Section XIII, 111.b.(4), Security
>Requirements for Automated Information Systems, DoD 5220.22-M.  A real UNIX
>wizard will understand better than I do that this is not a trivial task in a
>UNIX environment.  You have to protect against access by mv, cp, rm, cat, as
>well as attempts by aliased users, tasks which were linked on another system
>and imported by, e.g., mag tape, etc., etc..

To do this right, forget about the utilities, and put logging into
the kernel for the various system calls, e.g. open(2), close(2), etc.
Otherwise, someone could bypass the audit by writing their own version.
You would probably want the UID, the pathname, and a timestamp, possibly
other things.  You'll need some way to distinguish between classified
files and non-classified files, to keep the volume of the log down.

comment: yuck!

Snoopy
tektronix!doghouse.gwd!snoopy
snoopy@doghouse.gwd.tek.com