From owner-freebsd-security  Mon Jul 24 23:20:23 2000
Delivered-To: freebsd-security@freebsd.org
Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11])
	by hub.freebsd.org (Postfix) with ESMTP id 7381F37BA69
	for <freebsd-security@FreeBSD.ORG>; Mon, 24 Jul 2000 23:20:13 -0700 (PDT)
	(envelope-from avalon@cairo.anu.edu.au)
Received: (from avalon@localhost)
	by cairo.anu.edu.au (8.9.3/8.9.3) id QAA05994;
	Tue, 25 Jul 2000 16:19:52 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200007250619.QAA05994@cairo.anu.edu.au>
Subject: Re: orange book rating for freebsd
To: imp@village.org (Warner Losh)
Date: Tue, 25 Jul 2000 16:19:51 +1000 (Australia/NSW)
Cc: john1000@cwcom.net, freebsd-security@FreeBSD.ORG
In-Reply-To: <200007250251.UAA85516@harmony.village.org> from "Warner Losh" at Jul 24, 2000 08:51:16 PM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from Warner Losh, sie said:
> 
> In message <397CEC16.F5453AC0@cwcom.net> m01ym900@cwcom.net writes:
> : does anyone know what level of security rating freeBSD can be configured
> : to, with regards to the orange book rating system (C1 through to A1).
> 
> FreeBSD can be configured to be C2 secure, just like all the other
> Unix-oids out there.  There's some work with TrustedBSD to make things
> B1 or B2, but those are very hard.  FreeBSD doesn't have the
> facilities to get A1, which requires, iirc, tagging of all data as
> unclassified, secret or top secret and not allowing data to cross the
> security boundaries (in either direction w/o authorization from the
> system administrator).

In addition to programming with labels, etc, Ax also requires taking into
account "signalling" via covert channels.  FreeBSD will never reach an A
level orange book rating because it was not designed, from scratch, to be
that way.  C2 is just a matter of someone with money giving a box to the
NSA, appropriately configured and with suitable documentation, for review.

As for "tags", those are required for B2, along with rules about which
way data can "travel".

Darren


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message