C2 secure systems and the superuser

Daniel P. Faigin faigin at aerospace.aero.org
Tue Mar 19 06:07:35 AEST 1991 

In article <19104 at rpp386.cactus.org>, jfh at rpp386.cactus.org (John F Haugh II) writes:

> In article <1991Mar13.185609.21132 at convex.com> tchrist at convex.COM (Tom
Christiansen) writes: 
>>I'm not here to have a good laugh at anybody, including SecureWare.  I
>>just want to point out that the C2 security stuff I've seen applied to
>>UNIX has some fundamental problems in its approach.  Breaking up the
>>superuser into small compartments that each do a few very powerful things
>>isn't enough if you're not very very very very careful.  I haven't yet
>>seen any that are that careful.

First of all, it should be noted that when a system is accredited (this is
different than rating a system), computer security such as that provided by a
rating is only one of many security disciplines. Other disciplines include
personnel and physical security, as well as procuedural security. For example,
it is assumed that, before given an account privileges, you have ensured that
the user of that account is trustworthy.

> Well, I think it is very important to expose fraud whereever it is found.
> Part of the concept behind the TCSEC and the NCSC is that we trust the NCSC
> to properly apply the criteria described in the TCSEC so that the criteria
> have some meaning.  

First of all, note that the NCSC (actually, the TPEP portion of NCSC's parent)
does not apply the criteria. They evaluate how well a system meets the
criteria. It is up to the vendor to apply the criteria.

> What companies such as SecureWare are doing is to take a meaningful
> collection of criteria and announce, without proof, that they adhere to
> these well defined criteria.  Naive users do not fully understand what the
> difference between a "rated" and an "unrated" system are - there are very
> real differences and SecureWare is clouding them up.

A rated system is one that has been evaluted by the NCSC (so to speak). An
unrated system is one that has obtains its rating, to coin a Steve Walker
phrase, by emphatic assertion.

> The mistake was on the part of the NCSC.  Just as the Motion Picture Assoc.
> should have "trademarked" or whatever the "X" rating, so should the NCSC
> have "trademarked" the "C2" rating.

I do agree with you on this one. It annoys me when I see vendors "claiming" to
have a rating, when they are unevaluated. It cheapens the evaluation work that
I do.

> To continue with the real topic, "C2" is not that "secure" of a rating.

No rating is "secure". They are "trust" levels, based on features and
assurances. The "secure"-ness of a system is a result of all security
disciplines.

> If you expect the system to warn you of auditable events which might
> indicate a violation of the security policy you have to go to a higher
> level.  The only rating level between "C2" and MS-DOS is "C1".

MS-DOS has never been rated. 

> As long as the system audits everything the "auth" or "sysadmin" user is
> doing, including that they turned off auditing or whatever, it has fulfilled
> the "C2" criteria.

And if you can't trust the trusted user, well, you get what you deserve...

Daniel
--
[W]:The Aerospace Corp. M1/055 * POB 92957 * LA, CA 90009-2957 * 213/336-8228
[Email]:faigin at aerospace.aero.org               [Vmail]:213/336-5454 Box#3149
"A consensus means that everyone agrees to say collectively what no one 
believes individually" -- Abba Eban

More information about the Comp.unix.programmer mailing list