C2 secure systems and the superuser

John F Haugh II jfh at rpp386.cactus.org
Thu Mar 14 23:13:24 AEST 1991 

In article <1991Mar13.185609.21132 at convex.com> tchrist at convex.COM (Tom Christiansen) writes:
>I'm not here to have a good laugh at anybody, including SecureWare.  I
>just want to point out that the C2 security stuff I've seen applied to
>UNIX has some fundamental problems in its approach.  Breaking up the
>superuser into small compartments that each do a few very powerful things
>isn't enough if you're not very very very very careful.  I haven't yet
>seen any that are that careful.

Well, I think it is very important to expose fraud whereever it
is found.  Part of the concept behind the TCSEC and the NCSC is
that we trust the NCSC to properly apply the criteria described
in the TCSEC so that the criteria have some meaning.  What
companies such as SecureWare are doing is to take a meaningful
collection of criteria and announce, without proof, that they
adhere to these well defined criteria.  Naive users do not
fully understand what the difference between a "rated" and an
"unrated" system are - there are very real differences and
SecureWare is clouding them up.  Notice how quiet SecureWare is?
They =are= on the net, and yet they do not get engaged in this
discussion because their behavior is =unethical=.  The mistake
was on the part of the NCSC.  Just as the Motion Picture Assoc.
should have "trademarked" or whatever the "X" rating, so should
the NCSC have "trademarked" the "C2" rating.

To continue with the real topic, "C2" is not that "secure" of
a rating.  If you expect the system to warn you of auditable
events which might indicate a violation of the security policy
you have to go to a higher level.  The only rating level between
"C2" and MS-DOS is "C1".  There are still 3 "B" levels and an
"A" level above "C2".  The description of "C2" is

	"Systems in this class enforce a more finely grained
	 discretionary access control than (C1) systems, making
	 users individually accountable for their actions
	 through login procedures, auditing of security-
	 relevant events, and resource isolation."

What you are expecting "C2" to do isn't even a part of "C2".
You probably want "B2" or possibly "B3".  As long as the
system audits everything the "auth" or "sysadmin" user is doing,
including that they turned off auditing or whatever, it has
fulfilled the "C2" criteria.
-- 
John F. Haugh II        | Distribution to  | UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 832-8832 | GEnie PROHIBITED :-) |  Domain: jfh at rpp386.cactus.org
"I've never written a device driver, but I have written a device driver manual"
                -- Robert Hartman, IDE Corp.

More information about the Comp.unix.programmer mailing list