Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!mcvax!unido!iaoobelix!woerz From: woerz@iaoobelix.UUCP Newsgroups: comp.unix.wizards Subject: Re: UNIX classified operation - (nf) Message-ID: <8300007@iaoobelix.UUCP> Date: Thu, 25-Jun-87 05:50:00 EDT Article-I.D.: iaoobeli.8300007 Posted: Thu Jun 25 05:50:00 1987 Date-Received: Fri, 3-Jul-87 05:17:24 EDT References: <175@uw-apl.UUCP> Lines: 65 Nf-ID: #R:uw-apl:-17500:iaoobelix:8300007:000:3198 Nf-From: iaoobelix!woerz Jun 25 10:50:00 1987 > /***** iaoobelix:comp.unix.wiz / osiris!mjr / 7:04 pm Jun 19, 1987*/ > In article <8737@tekecs.TEK.COM>, snoopy@doghouse.gwd.tek.com (Snoopy) writes: > > In article <175@uw-apl.UUCP> cel@uw-apl.UUCP (Curtis Lacy) writes: > > > > >New DoD requirements for classified computing require that we provide > > >an audit trail from which they can reconstruct all "actions to open, close, > > >create and destroy classified files" > > > To do this right, forget about the utilities, and put logging into > > the kernel for the various system calls, e.g. open(2), close(2), etc. > > Otherwise, someone could bypass the audit by writing their own version. > > You would probably want the UID, the pathname, and a timestamp, possibly > > other things. You'll need some way to distinguish between classified > > files and non-classified files, to keep the volume of the log down. > > In UNIX it's much too easy to fake that kind of thing out, though. > Suppose I break into Ollie North's home directory and tar(1) it all > to a file in my home directory. That logs one open(2) call for each > file, and one open() call for the creation of the file in my home > dir. Now, however, I have *one* file that is really an unknown > number of classified files. Any further operations performed on it > will seem to be working on one file. > > Obviously, the above example is a braindead example off the top of > my head (the pointy part), but you get the idea. It's too easy to > mess up your tracks as far as what you're doing and where. > "cat OlliesFile | tee output" would let me read a file while appearing > to only make a copy of it to disk. I did 2 open(2) and 2 close(2), > and that's it, since the standard input is always open. > > You'd maybe have to keep track of all the devices/files open for > read/write by the particular user at the time of access, as well as > the number of bytes (ignoring compression) written to those devices. > You could also have the shell explicitly open the standard file > descriptors *EVERY* time you write to the tty. > > I suppose telling the spooks to go play cowboys&indians somewhere > where they know what they're talking about is too idealistic ? > > --mjr(); > -- > If they think you're crude, go technical; if they think you're technical, > go crude. I'm a very technical boy. So I get as crude as possible. These > days, though, you have to be pretty technical before you can even aspire > to crudeness... -Johnny Mnemonic > /* ---------- */ It's even more complicated in UNIX. Tar opens the file and you get a log. But consider dump. It opens the raw device of the disk and copies the raw block to tape or to another location. I think it is nearly impossible to protect someone from reading the raw disk under UNIX. You can write a log entry from dump, but I think you cannot protect against someone reading the raw disk with his own programs. ------------------------------------------------------------------------------ Dieter Woerz Fraunhofer Institut fuer Arbeitswirtschaft und Organisation Abt. 453 Holzgartenstrasse 17 D-7000 Stuttgart 1 W-Germany BITNET: iaoobel.uucp!woerz@unido.bitnet UUCP: ...{seismo!unido, pyramid}!iaoobel!woerz