From owner-freebsd-chat@FreeBSD.ORG Wed Oct 6 19:53:05 2004 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C6AD516A4CE for ; Wed, 6 Oct 2004 19:53:05 +0000 (GMT) Received: from smtp.knology.net (smtp.knology.net [24.214.63.101]) by mx1.FreeBSD.org (Postfix) with SMTP id 530CB43D39 for ; Wed, 6 Oct 2004 19:53:05 +0000 (GMT) (envelope-from dkelly@HiWAAY.net) Received: (qmail 4116 invoked by uid 0); 6 Oct 2004 19:53:26 -0000 Received: from user-69-73-60-132.knology.net (HELO ?10.0.0.68?) (69.73.60.132) by smtp8.knology.net with SMTP; 6 Oct 2004 19:53:26 -0000 In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <54048F84-17D1-11D9-971B-000393BB56F2@HiWAAY.net> Content-Transfer-Encoding: 7bit From: David Kelly Date: Wed, 6 Oct 2004 14:53:00 -0500 To: "Jeremy C. Reed" X-Mailer: Apple Mail (2.619) cc: freebsd-chat@freebsd.org Subject: Re: Department of Defense security levels X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Oct 2004 19:53:05 -0000 On Oct 6, 2004, at 9:53 AM, Jeremy C. Reed wrote: > I have read some about Common Criteria Evaluation Assurance Levels, > Orange > Book levels, Federal Aviation Administration DO-178B Level A and > others. I've been out of it for 5 years but is my understanding the Orange Book was retired. > I am looking for a quick reference and explanation of security levels > used > for software in the United States. Any good pointers? Only took a few moments with Google to find this: http://www.dynamoo.com/orange/ > Also does any *BSD cover U.S. Department of Defense security levels? > Maybe > SEBSD or TrustedBSD? The old Orange Book level C3 included everything. With C3 all users and persons with physical access are required to have equal or greater clearance and need-to-know as the systems and the data they contain. If networked then all other systems on the network must be the same need-to-know, we called this "stand alone" as systems were physically segregated by project or task. No feature of the OS such as user name, password, or resource ownership is considered a "security feature" in this context. I have run FreeBSD in C3 environments. > If no BSD, what about Linux? Where can I learn more about this? I heard Once Upon A Time someone with deep pockets was pushing a Linux system thru the qualification process aiming for a C1 or B-level. For mere mortals and civilians it doesn't mean a darned thing as nobody but the DoD cares to put up with the hassle. If it passed using a Brand-X motherboard with 386DX33 then that too is what you must use. Once Upon A Time Microsoft made big hay about Windows NT 3.5.1 being C2 or C1. Not exactly true as only one specific configuration made that grade. Without NIC. Without floppy. Without CDROM. Without external reset button. -- David Kelly N4HHE, dkelly@HiWAAY.net ======================================================================== Top-posters will not be shown the honor of a reply.