From owner-freebsd-security Fri Mar 12 7:20: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from unicorn.blackhats.org (unicorn.blackhats.org [194.109.83.155]) by hub.freebsd.org (Postfix) with ESMTP id 3376314E46 for ; Fri, 12 Mar 1999 07:20:02 -0800 (PST) (envelope-from unicorn@unicorn.blackhats.org) Received: (from unicorn@localhost) by unicorn.blackhats.org (8.8.8/8.8.8) id QAA23406; Fri, 12 Mar 1999 16:21:48 +0100 (CET) (envelope-from unicorn) Date: Fri, 12 Mar 1999 16:21:47 +0100 From: The Unicorn To: Robert Watson Cc: Matthew Dillon , andrewr , Archie Cobbs , Andrew McNaughton , freebsd-security@FreeBSD.ORG Subject: Re: disapointing security architecture Message-ID: <19990312162147.C22324@unicorn.quux.org> Mail-Followup-To: Robert Watson , Matthew Dillon , andrewr , Archie Cobbs , Andrew McNaughton , freebsd-security@FreeBSD.ORG References: <199903120628.WAA73182@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: ; from Robert Watson on Fri, Mar 12, 1999 at 08:51:05AM -0500 X-Files: The Truth Is Out There! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Mar 12, 1999 at 08:51:05AM -0500, Robert Watson wrote: > On Thu, 11 Mar 1999, Matthew Dillon wrote: > > > It would be hillarious if we could get a C2 certification for a base > > GENERIC system. > > I think that would be great also, although possibly not GENERIC :-). > POSIX.1e was intended to match the requirements of the various colored > books. Once we have Auditing and ACLs, I suspect we are getting fairly > close to C2-capable. I've never actually read those specs though--anyone > know if they are still available, and if so have an ISBN? If not, I can > go dig up a reference librarian and have them find it for me, but Amazon > is usually easiest :-). You are referring to the Orange Book, published by the U.S. Department of Defense. Also known as Trusted Computer Systems Evaluation Criteria (TCSEC), CSC-STD-001-S3, 1983. Part of the rainbow series. As far as I know these are still available online. Check out: http://www.ntshop.net/security/rainbow.htm I know, not a place you want to visit often, but last time I looked they had the complete series on-line, which is rather cute :-) > C2 certification is presumably also an expensive process; if someone wants > to find a sponsor, we could almost certainly achieve C2 compliance with a > little restriction of the base system and appropriate POSIX.1e options. > Having a nice big "C2-Compliant!" stamp on the 4.0 CD would blow the > competition out of the water (so to speak) and certainly be excellent PR. Absolutely, but beware... Things got rather nasty when M$ announced that NT was C2 compliant (but only when networking was disabled :-). If I remember correctly this kind of certification is not only dependend on system software, but also on the hardware used during the certification. Therefor C2 certification on PC hardware may not really be what we are looking for... Then again I could be remembering incorrectly. BTW. Iff the security audit of FreeBSD really takes place I would like to be a part of it. Hopefully I can make some time available to actually work on this as well :-) > Robert N Watson ---end quoted text--- Ciao, Unicorn. -- ======= _ __,;;;/ TimeWaster ================================================ ,;( )_, )~\| A Truly Wise Man Never Plays PGP: 64 07 5D 4C 3F 81 22 73 ;; // `--; Leapfrog With A Unicorn... 52 9D 87 08 51 AA 35 F0 ==='= ;\ = | ==== Youth is Not a Time in Life, It is a State of Mind! ======= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message