Slashdot Mirror
Auditing for Linux?
steelwraith asks: "I'm a contractor working for a DoD agency, and there has been an on-going firefight over whether to allow Linux to be used withing the agency, with a possibility of this spilling over into DoD as a whole. Does anyone know of a project to create or port auditing into any of the Linux distributions? This is a major hurdle to the widespread adoption of Linux in the government; while it has a toe hold in places already, I fear it could be cut off before it has a chance to show its worth."
"A quick search of several sites (I'm under the gun, so I don't have a lot of time to do research) shows that there are no add-ons to Linux to allow C2 level auditing (a la BSM in Solaris). This is one of the primary arguments left for the side that want to deep-six Linux in the agency (on top of the requirement for a vendor integrity statement of some kind)."
DoDLinux features advanced auditing. With the -B switch DoDLinux will dispatch a B2 stealth bomber to the policy violaters location to deliver the violation message in a descreet 500 kg package.
I read all of those threads as they were posted. Curry, who was the consultant who guided NT3.5 to C2 certification, claimed to have a contract to work on a package for securing NT4, every service pack to which broke the security modifications. In his posts he stated that there was pressure exerted on him to fraudulently vouch for NT4 as secure, which he refused. (MS was marketing NT4 as if the cert from NT3.5 carried over!) MS broke their contract with him--refusing to pay him I suppose--and threatened him with a smear campaign if he made noise. He made noise and sought interviews with highlevel DoD officials like Cohen. I believe MS made an effort to characterize him as an unbalanced, disgruntled, insignificant (never revealing how important to them he'd been in the past) contract employee. He never collected on his contracts and died a ruined man.
I heard that with Medusa is possible to make secure system even with B1 security level.It can really add security to linux box.
Unfortunately, the DoD loves the stuff. They think COE is the best thing since sliced bread. Especially DISA. DISA is the Defense Information Systems Agency -- And I personally think the D in DISA stands for dysfunctional.
Here's a short description of what DII COE is:
First, there's a web site, where you may download the DII COE kernel and toolkits for Slowlaris, or for HP.
ftp://ftp.uccs.jpl.nasa.gov
They also have DII COE kernels for NT.
What is the aim of DII COE?
DII COE is the brainchild and programming effort of The Jet Propulsion Labs, and has been partially-embraced by the Defense Information Systems Agency. I don't say completely-embraced, because there are a few enclaves within DISA that outright refuse to go the way of DII COE. Namely the Security Testing and Implement Guidelines often conflict and outright disagree with some of the basic concepts of the DII COE.
The DII COE was developed to make a common operating interface, so Joe Private could install packages, er... I mean segments (That's what they're called, I don't know why), without having to type complicated commands like "ls" and "pkgadd"
The DII Coe also replaces the kernel (for Slowlaris at least) so that some of the basic concepts of BSM are turned on. BSM is the Basic Security Model, which logs who logged in, who attempted to log in, what directories they changed to, what files they attempted to read, what files they successfully read, which libraries they used, which accounts they su-ed to, too much information for any decent SA to administer.
BSM can be so verbose that ... LITERALLY ... a whole 8 gigabyte disk got filled with one GBAF (Great Big Ass File) from two days of operation. Systems administrators are busy enough, and they never have time to read 8 GB of logfiles.
So what is so bad about this?,
you may be thinking
COE insists that everyone running the same operating system run the same packages, with the same permissions, with the same files in the same places, with a system of segmenting that takes forever to build new packages ^H^H^H^H I mean segments, a completely-screwed up distribution system, a distribution system without the benefit of a smart checksum system (the packages installed determine their correctness with a standard 32768 checksum. No MD5 Here. Basically because Slowlaris and HP don't come with MD5 Sum. (don't get me started) )
Safety in heterogeneity is unheard of. The philosophy is that it is safer to have everybody running exactly the same thing. When I hear of this complete fallacy, I think of the potato famine in Ireland. Everybody had the same strain of Potato, and when a specific blight liked that breed of potato, the entire country was devastated by the blight. A little heterogeneity would have saved them. Instead millions starved. Do we learn nothing from history?
General Kelly, Yes I'm calling him specifically, gave a promise to Admiral Hale through the 'good-ol-boy' network. Admiral Hale is the big COE-backer -- the guy who thinks COE is the saviour of all bad things of the Internet.
General Kelly basically said "Okay, I'l run your COE", and now that a General makes this edict, a technical decision made on the golf course, nobody in DISA has the balls or the smarts to tell this general that this is a terrible, terrible, terrible idea, and could be the downfall of the entire DII infrastructure.
Making the whole of the DISA land run something stable and secure might be a good idea.
But unfortunately, the DISA concept of secure means running NT, or Solaris right out of the box + patches, and using telnet, because it has been certified free of backdoors.
These people at DISA don't have a clue what secure shell is. They don't have a clue that it's bad to telnet into machines. They do seem to think that the hackers will be held at-bay if you lock out root logins directly. While this is true, a good hacker with a sniffer will just wait for the password after a 'su' command. Stupid, stupid, stupid.
These are the people who think that it's good enough to put a package, I mean segment on a website and say "It's good!" No PGP signatures, no MD5 checksums, no anything. Just compiled binaries on an FTP server. Stupid Stupid Stupid.
these are the people who think that NT is a good operating system because the vendor tells them that it is a good operating system. Stupid, Stuipd, Stupid.
Along this line of reasoning, because they can't set up auditing to the level of granularity that is required by the C2 orange book, Linux is being shunned by those who believe in COE. For those who think that COE is a complete piece of crap, those people ususally think that Linux would be a great thing on the Military Internet.
But the latter category of people is a quiet minority. DISA and Military networks always are at least 3 years behind the industry -- The organizations are full of bureaucrats who would rather swim in red tape than make a decision, or take a risk.
In order for the COE loving dimwits to be happy with Linux, there needs to be COE set up for Linux. I personally think COE is the worst mistake in military history, but I'm just one man. Maybe somebody else out there could improve on it.
American Citizens! Be afraid! Be very very afraid! you have complete screw-ups in charge of the Infrastructure of the Military Internet!
And yes, I'm posting anonymously, I don't want to lose my job.
Then again, I hate DISA so much, because it's such a bunch of complete idiots and bumbling doodleheads, maybe I should find a new job.
sigh
The last time I checked, NT wasn't C2 certified unless you left the NIC out of the machine, which makes it useless as a server. I'm new to Linux myself, but I imagine somebody has had to address this somewhere before.
From the man page:
Auditd is part of the linux kernel auditing toolkit. It will capture auditing trails created by the kernel auditing facility from /proc/audit, filter them, and save them in specific log files. For the moment, auditd only supports the -t option, which enables audit trails timestamping. Other command line options will probably be implemented in the next releases to add more flexibility to the package.
Didn't the NSA recently commission some company to build them a 'secure' distribution of Linux? Shouldn't that include auditing as part of the requirements?
DITCO handled telecommunications contracting for DOD and other government agencies at a percentage... Curious... A governmental business, I kid you not...
Anyways, their AWESOME product ala 1992 was an online order processing system using several networked DOS Machines (ala BBS Software, Mustang Software if I remember), Banyan VINES for the NOS, FoxPRO for the Database backend, and a Sun machine to help the whole thing achieve internet connectivity via telnet sessions and null modem cables...
FUNKY... It was built by an awesome intern (not me) who went on to greater/grander things...
What's the point?
Just my perception but it's all politics... Currently NT is not C2, and making a C2 product is not easy... and Linux is not C2.. yet.. Yet NT is accepted...
So don't sweat it... Do whatever your manager will allow and slowly ease Linux in... In the end it only works if he is comfortable with it, ad infinitium up the chain...
I can give a few general security recommendations. Tripwire is a must... Beyond that you just have to turn up the security based on your experience (may you learn fast ;-)
But I also remember attending one of my first and ONLY NT classes and seeing every single "NT Admin" agree that using NTFS was silly and counterproductive, and using FAT partitions was wiser since you had more utilities to fix FAT Partitions...
So much for security...
In the end security is a synergy between the engineers who made it, and the admins who maintain it... Ever vigilant, amen... Specially since network access of some form is pretty much given these days...
Classifications like C2 and big companies like Microsoft give managers a warm safe feeling... That's it...
Good Security isn't a destination, it's an ongoing project... Talk to your manager for advice, in the end he works for you, as much as you work for him.
We don't all live in a Randite fantasy land. The vast majority of us live in a place where, as George Orwell put it, we sleep soundly in our beds at night because rough men stand ready to do violence in our name. Those "rough men" need whatever tools are best, so for our sake, I hope they get Linux rather than NT.
It speaks wonderfully well of how well those "rough men" (and women) do their job that even licensarian kooks can safely express their opinions :)
What part of "A well regulated militia" do you not understand?
In England we have the Ministry of Death, same thing.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
"f they need auditing, try to ask them
WHAT should be audited."
I think it ought to be US who ask the question. We, the people who are committed to Linux and other open-source project, should be the one who take the proactive step, and ask the questions ourselves.
If we wait until the DoD or others to tell us what needs to be audited, then we are not better than MicroSoft - DoD as a USER should not be responsible for the SECURITY and ROBUSTNESS of Linux, and we who have contributed to Linux and other open-source projects should make sure that what we produce will stand up to any kind of test, and we must make sure that we commit a portion of our time to device the various testcase in making sure what we are producing is up to the challenges.
Let me reiterate -
The initiative to make a better Linux
(and all other open-source projects)
should be ours.
It shouldn't be DoD or any other users.
Muchas Gracias, Señor Edward Snowden !
Your wrote:
"This kind of reeks of "WE are in control,
not some silly USER!!" mentality. This goes
directly against at least what IMHO is the
whole point of Open Source."
"Everyone can be a developer. Each USER can
modify it as needed to meet their needs."
Good point !
But I am afraid that it was because of my mistake that you have jump to the wrong conclusion.
What I actually meant in the whole point is that we, the one who are responsibled for the original codes of open-source projects should also be pro-active in making sure that what we wrote makes sense.
In other words, we DO have to have pride in what we wrote - and the pride cometh in the form of GOOD SOLID CODE.
So, to make sure that what we are contributing to the world are GOOD SOLID CODE, the onus in on us to find ways to BREAK OUR OWN PROGRAMS and then find ways to mend the broken parts.
You are correct in saying that EVERYBODY has a part in this open-source thing - but we, the one who contributed the original codes, should not only rely on the users to give us feedbacks or to enhance our codes. We should take steps to ensure that what we give to the world are something that worth their while to use, or else what is the point of open-source if everything cometh from open-source projects are junks anyway?
Muchas Gracias, Señor Edward Snowden !
In order to get certified, you have to turn over your source. The gov't will sign an NDA, but you are still required to turn over your source. Also, to get the higher level security ratings they require you to provide "assurances" that your code is secure, along with additional security features. For the highest level (A1) you have to submidt a formal proof that your system is secure, and have written your code in such a way that they can veriry your prood easily.
There's a good reason why there are no A1 rated OS's (commercial, at least).
Secure Computing also wants to sell it to financial houses, etc.
And, by definition, unless Secure is simply an onsite "contractor" then they are distributing it to the NSA. They also plan to hold onto the copyright on the code as well.
Either case, they must release the code.
Pan
I said no... but I missed and it came out yes.
Excuse my ignorance, but what is "auditing"?
http://bastille-linux.sourceforge.net/
http://dwheeler.com/ secure-programs/Secure-Programs-HOWTO.html
http://i30www.ira.uka.de/SawMill/index. html
http://immunix.org/
http://medusa.fornax.sk/
http://oss.sgi.com/projects/ob1/index.ht ml
http://soledad.cs.ucdavis.edu/
http://users.ox.ac.uk /~mbeattie/linux/ANNOUNCE.mac30-20000214
http://www.data.slu.se/bifrost/index.en .htm
http://www.guug.de/~winni/posix.1e/
http://www.lids.org/
http://www.rsbac.de/rsbac/
http:// www.securecomputing.com/archive/press/2000/nsa_faq _secure_linux.html
http://www.trinix.org
Isn't that a Didi reference?
shapecfg allows traffic shaping based on IP address - is that the sense in which you mean that the bandwidth allocated to a user can be controlled ?
Or is there some tool that will shape traffic differently for users on the same box ?
And ask them if there NT servers are C2 certified. The funny thing, against any other claim, it isn't (NT 3.5x is certified, but only if it has no disk drive and no network connection...).
Correct me if I'm wrong... NT should not have even a hard disk drive in order to be C2 certified, right?
Please correct me if I'm wrong, but a long time ago I read some government manuals about C2 certification. It turns out that level of certification isn't so much based on the actual security of the product...rather, it is a measure of the types of security that it implements.
For example, have you ever wondered why Microsoft chose Ctrl-Alt-Delete to be the log-on, log-out and general system access combination? That's because NT's kernel traps that key combination, and only notifies the log in code that the user has pressed those keys. This prevents some random program from catching Ctrl-Alt-Delete, displaying its own log in box, and recording the password to send to crackers. It also prevents trojan horses from just displaying something that looks like a log in box and catching the user's password, since if the user isn't sure it's a real log-in box, she can just press Ctrl-Alt-Delete and get a real one.
I believe C2 also requires ACLs, which let you control access to a file at an atomic level (Linux can't really do this). And NT has a built-in advantage over Linux as a graphical operating system - since users don't normally have Telnet- or SSH-style access to the system, an attacker can't break in unless the administrator has been _really_ stupid.
I like Linux. I think that in an empirical way it is more secure than NT - when was the last time you heard of a system being compromised? I've heard of a few different break-ins, but they all boiled down to very difficult-to-exploit buffer overflows. In an inductive way, though, NT is more secure, because it implements all sorts of security policies which are simply impossible under Linux (evenif they don't always even work on NT).
It doesn't really matter, though - the only way to make a machine truly secure is to unplug the NIC.
> Lsof is a Unix-specific diagnostic tool.
Just a little note: while there is a Linux port of lsof, the tool on Linux to investigate about open files, sockets, etc. is definitively fuser, which IIRC should have every functionality offered by lsof (and more), and it's installed by default (while lsof is not).
Basically, it's a government standard for computer security. Most free unixes don't even come close.
This is partly because, as security increases, convenience decreases. A and B rated systems require hardware that's designed for security, and PC hardware isn't.
Forward, retransmit, or republish anything I say here. Just don't misquote me.
You're missing the point. For true security (as defined by the Orange Book) you need to test and validate all this in a very rigorous manner. This is neither fast nor cheap, and I am afraid it cannot be done in the usual open-source way by a loosely coupled team. Someone has to bite the bullet and just do it along with all the neccessary paperwork involved.
No politics about it. NT4 is C2. http://www.radium.ncsc.mil/tpep/epl/entries/TTAP-C SC-EPL-99-001.html
Yes, that's with network. (3.5 was the one without.)
Eric
"Seven Deadly Sins? I thought it was a to-do list!"
Secure Computing is working on a C2+ secure version of Linux for the NSA, which, I've been told, will be released to the public.
-- Ed Carp, N7EKG erc@pobox.com PGP KeyID: 0x0BD32C9B What I'm up to: http://intuitives.mine.nu
Didn't see this one mentioned: kha0s linux
http://www.kha0s.org/goals/
A distro made for secure computing; possibly a decent choice until C2 is available.
Beware the SPAM in your pajamas.
This post encoded with ROT26. If you can read it, you've violated the DMCA. Handcuffs please, sergeant.
I've been working on a design for auditing system calls within the kernel. Basic idea is that details of every system call are communicated to a listening daemon in userland using, for example, netlink sockets. Every process will have an audit mask that determines which calls are audited for that process. Control via ioctl() on fake character device. Design is still fluid, partly influenced by Digital Unix's kernel auditing. I haven't yet started coding in earnest and will look into LinuxBSM (mentioned elsewhere in this thread) before deciding whether or not my efforts are worthwhile.
If I recall correctly ...
As someone says later -- you don't exactly have the right idea on Mandatory Access Controls. Also, encryption is not considered security -- since anything that is encrypted can *eventually*
/etc/passwd, are
be unencrypted. That's not considered secure. They may not want to declassify a given datum for an indefinite (infinte) amount of time.
In IRIX B1, there are ACL's, sensitivity and
Integrity labels (following the Bell-LaPadula and
Biba models) and capabilities. BLP basically
states that information can't flow downward
So all user's run with a Label with S/I components. A user with S=Top Secret can't write into an object (file or dir) that has a rating less than "Top Secret". Lower levels are to
have append-only access to higher-sensitivity data (like an audit trail). In addition you still have the "discretionary" access of standard unix to further control info. But an owner of a file can't downgrade the file unless they are authorized (have CAP_DOWNGRADE (or something similar)). The Integrity part means user's requiring high integrity can't read lower integrity files -- so "root", let's say, only has
access to pre-approved files at some minimal level of integrity. If a user writes to a file, the resulting integrity is the lower of the two(user,file). If a user reads a file (assuming permitted), then if you allow floating user integrity, the user's integrity becomes the lower of (user's, file's). Files like
defined to be of "high integrity" and "low sensitivity" (anyone can read them). I think IRIX has a total of about 47 capabilities to manage it's B1 system. In addition to the mandatory
controls, there are also ACL's.
The B2 level also requires covert channel analysis and higher levels of proof of correctness. B1 requires only 'features' that support the B1 security model and there is documentation to show how the given feature set implements B1. There's also a B3 level -- I forget what's in that, but at the A1 level, formal mathematical proofs are required from the hardware level on up.
Each system certified at a security level C2, B1 is also tied to the particular harware configuration that it is certified on. For example, it wouldn't help to cert B1, then have the user add floppy hardware they could boot from and still expect mandatory access control (B1
cert). You can still claim B1 features in the OS, but the cert is tied to 1 exact box -- no part
number changes.
For a system to be B1 certified, it would likely have to only be certed standalone or on a private network that supports the Sens/Int labels on each TCP session and each udp packet.
Good question! I'm a Department of Defense (DOD) contractor as well. We use SCO OpenServer and it is C2 compliant. (VAX/VMS was as well.) I haven't gone looking for Linux info, but I haven't seen anything about it. I suspect that it doesn't exist.
C2 certification will require some investment and a corporate commitment to the sanctity of the code. This looks like a real good opportunity for one of the major Linux flavors to snag some market share. But it won't happen in time for your project.
Good Luck!
****** WE hold these Truths to be self-evident, that all Men are created equal, that they are endowed by their Cre
I'm a research scientist at philips lab (kirtland AFB New Mexico), and I have 3 linux boxes that I admin as well as using for very large dataset analysis. I replaced an aging RS6000 with a dual PII machine with 70 gig of storage and a tape jukebox. Linux makes my life easier.
I got a new gateway for my desktop last year and the first thing I did was slick NT and put redhat 6.0 on it. I use startoffice to read any office gorp that people send me. Anything coming from my machine is either an acrobat file or a latex document. Sheldon
I think that its very cool that the government is looking into open source. in fact i think its fantastic. but the government should not be limited to open source, the government has to be able to use what ever software gets the job done. one way to ensure that this is open source is to have open source people work in government, to an extent that we write enough software to get the job of government done, that they dont need to buy propritary software.
i don't like the idea of my government be run by non-gpl software, but i also dont like the idea of forcing anybody's hand.
if the DoD isn't gunna use gpl, its my understanding having actually sat down one night and read all of gnu.org, that they can't write anything based on it. the reasoning is that if they make their own linux distro, all components that share code with current linux distros will require it, by law, to be gpl, which the government will not be happy with. it appears that although title 17 section 105 is very close to gpl'ing something, it goes against the gpl of a product if its children are title 17 section 105'ed instead of gpl'ed.
although it would appear on other occasions that the governemnt, in the end, will do what it damn well pleases, and that we can all go to hell if we think we can change that. we cant stop them from stealing from gpl'ed software, and it would be foolish of us to make them use it at the risk of them stealing it or classifing its children.
maybe it would be good to have the government refining the code of non-critical source, imagine the us governemnt doing bug fixes for you, or better yet getting a government contract to do the bug fixes you already do!
well, maybe none of this is really relevant, but i think that the government would be an asset and a danger (the kind of person your glad to work for but you always keep an eye on) on account that they could easily warp all of our effort for the use of evil (making the products of 'DoD Linux' closed source for security reasons).
ok im rambling
grow up
galen is right to point that if the DoD wants to strengthen security they should do away with shared accounts and stregthen passwds. also they should get some of those key logging keyboards that were on slashdot, we'll maybe not. anyways, one way ive heard to ensure that the user at the terminal is who they say they are is to go back to another slashdot article which pointed me to this interveiw: http://www.geeknews.net/interveiws/kevinw.shtml
............
for those of you who dont want to read, its about the cybernetics prof from Reading who put a chip in his arm (a setup similar to the mobile speedpas) that allowed computers and rooms to identify him and open doors for him and log into terminals for him.
instead of loggin inot terminals, it should be used like a second passwd.
login: daevt
passwd: ************
Reading from chip
authorization failed!
your unique chip number has been reported to the proper authorities!
or
authorization success!
$USER, welcome to $HOST
naturally, i think that there are a bunch of us who wouldn't want the governemnt to be able to track us with military grade satellites, (the chip is powered when it receives radiowaves through its powercoil and then spits out a string of numbers) but it would be the second securest method i can think of.
the first would require a direct link into my head which nobody will ever get my permission to do. but the abilty to get a unique feedback for an image or sound fed into your brain. like you brain is your own passwd chipher, and since no one can duplicate your automatic responses, only you could give back every detail of your response.
however i do beleive that time will never come, and its probably a good thing to, what happens if this thing crashes while your logining in, braindamage? now that im why off topic...
C2 is not security. It is only autiting, including logging of who has read and leaked the files on certain tobacco usage in the oval office.
We need to get it implemented to sell things to many govrnmental institutions, not only in the US.
And the best part is, it has NOTHING to do wit security. As long as you log who you think does things (like NT) then you are OK. And remember, NT is only C2 certified when disconnected from the network.
Actually, free software is an excellent model for socialism, but the way it was imagined, not the way it turned out.... And no, I don't know why I'm responding to obvious flame bait.
http//biz.yahoo.com/prnews/000113 / ca_secure__1.html
for a discussion of Linux at NSA
I hope that after I die the one word people use to describe me is "resurrected."
Just out of curiousity, what _is_ C2 Level Auditing?
Chris
I think that you will find that they will want to know - 'was any code written by foreigners', if so has it been verified by a trusted US citizen? Also, I believe that part of the verification is that the vendor (the source code holder) will not go out of business and the code vanish into thin air. The software we provided had to have 'fully documented source code - independently certified by a government approved certification authority' As they would be getting the full source code (something which they did not envisage when the rules were set down) some of the normal rules would not apply.
My partner and I are the people working on the Linux BSM. Our goal is to build a Solaris compatible auditing system that will be C2 compliant. Our page is at: http://soledad.cs.ucdavis.edu/
please cc any email to:
holmlund@cs.ucdavis.edu
banford@cs.ucdavis.edu
Jeremy Banford
Co-Chief BSM Monkey
The biggest obstacle to DoD adoption of Linux is mindshare. The guys in charge are not geeks, they believe every lie that ever came out of Redmond, their knowledge of technology is about five years behind the power curve, and they cling to an outdated (non-open source-centric) view of how software should be purchased and supported.
Guess I come a little late, but I spent some time reading through the whole thread, and was wondering if anybody has ever read the "Security Requirements for System High and Compartmented Mode Workstations" criteria (DDS 2600-5502-91)? This is the criteria to which the SecureWare's original (yes I mean it) CMW product was built upon. A must for those who are looking forward to actually design and/or implement a trusted system based on Linux, that would meet the Orange Book's criterias.
/: permission denied'? You get the idea....
I don't think SecureWare exists anymore. I think they changed name to SecureFirst and is in
online banking e-commerce business right now. I used to work in Hewlett Packard and have participated in some of the HP-UX BLS/CMW developement projects (the not so well know 9.09, 10.06, 10.24 release). I think it's currently marketed as some big e-biz bundle called Virtual Vault, but that was the older days... Anyway, if there is such BLS project for Linux, I'd be interested to join. Any links/URLs, please?
BTW, you do not build a Linux B1/B2/C1/C2 system, you build a B1/B2/C1/C2 system based on Linux. A lot of the B1/B2/C1/C2 criterias defeat the original unix implementation concepts. The higher up you go, the less unix-feel you're going to get. Like, hey, I thought root is meant to be the god but why'd I get a 'rm -rf
A little off-topic tidbit, but is nice to know is that one of the very first CMW B1 box was built on a (drum roll)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Apple Macintosh! Yeah, no sh!t.
Yours,
--Albert
I have not carefully studied Argus' BLS design and
implementation, but I *seriously* doubt that their
so-called BLS system was officially endorsed by
the DoD. The certification process is loooooooong,
and is extremely costy $$$.
Yours,
--Albert
DOD Linux 3.2 B1 Security Inriched.
-- Comes free with a Tux 12'plush pengiun
Free orange and red book with purchase. Must be 18 years or older before ordering. Not avaiable outside the United States.
I would buy DOD Linux for home usage, I got a lot of lesbian porn that I don't want my freinds to see. (kinda of embrassing when they find out your stock 50 gig RAID server is stuffed full and choking on porn)
(for the unenlightened)
The above is a joke, the DOD doesn't have a Linux distro and I don't have a 50 Gig RAID server full of naked pics. I wish I had 50 gigs running under a DOD Linux distro, oh and porn, better yet, I wish I was a porno star (steal free porn when the director isn't looking ; )
DOD Linux motto should be:
"Even Pornstars run DOD Linux!"
WTF all the karma I just had before I posted this is now gone! It was there a second ago
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
Let 'em scratch their own itch. If they want it, they can design and program it themselves.
I/O Error G-17: Aborting Installation
I have DOD and DOE experience (12 yrs total) and I would be wondering the same thing. I would first ask to see, on paper, as part of a policy statement or regulation that has gone through the customary chain of approvals for such things, where it is that C2 compliance is a requirement for the application that Linux is in consideration for. If no one can produce such a document, then you win (at least morally). You also win (again, morally if in no other way) if the document *IS* produced but you find widespread non-compliance. I know you can make NT C2 compliant but the laundry list of things you have to do doesn't leave you with a terribly useful machine IMHO.
It would also depend on the C2 you are talking about. Orange book is what NT is certified against, which says nothing about networking. Red book C2 NT is not certified on -- which deals with networking.
Sean W. Ellis, CNE/ASE, unix luser
I hate to point out the obvious, but where is Linux originate? The internet wasn't used before the Web, where was that from?
I am all for security and privacy of your personal information, but what home user needs DoD strength security at home? That's pretty paranoid if you ask me. The DoD should develop their own Linux distro if you ask me.. Just my $0.02.
segfault@bellatlantic.net
I got a lot of lesbian porn that I don't want my freinds to see.
If you can't share lesbian porn, they aren't really friends now, are they?
Segfault
segfault@bellatlantic.net
Nothing exists except atoms and empty space; everything else is opinion.
blah blah blah....
$600 hammers, $900 toilet seats and they want to use a free OS...
Geeknews has a segment on an Oz IT Security firm (InterSect Alliance) which was started by a couple of ex-spooks from DSD, the Australian equivalent of the NSA. They're aparently investigating the possibility of a government-strength C2 audit module for Linux. A chance to push open source into those really paranoid government agencies? So much for microsoft saying linux has 'poor security functionality' because it has no 'C2 government strength' security.
I think if the NSA is not actually going to release any changes outside of it's organization, then it will not have to release any changes it has made. And this is still compliant with the GPL.
A couple of ex Defence Signals Directorate spooks (Australias NSA) are researching the possibility of integrating C2 into the kernel. See Intersect Alliance press releases for more info.
Dont know where they fit in with the SGI efforts.
Mal.
There is an IRIX4 version that is B1. I believe they are working on an IRIX6 evaluation, but I may be mistaken.
Never happen GI!! Frankly, I just don't see it happening with my view from the trenches (just kidding, you'll never get a Navy guy in a trench . . .) - a good example is the way DoD backed Novell for the networking and e-mail system - no one ever really learned to use it, and though it's limitations were quickly apparent, it took quite some time for the department to decide to go with Microsoft instead - since then it's been YEARS and we are still running two systems, some Novell and some Microsoft. And no one really knows how to use either of them. Now you want LINUX!?!?! Oh my God . . . Trust me, I wish - but I'm afraid to hope, Will
Do you remember the good old days when the Military wanted something and then just took it. When the hell did Big Brother decide that it could no longer think for itself and started shopping out security to the likes of Bill Gates and his cronies. Someone up in Redmond must have done one hell of a job on some poor DOD rep to convince them to borrow, because that's all you ever really get to do with Windows, an operating system to go into such sensitive areas.
There's a serious question here, though. I am a bit concerned that the military is either unwilling or unable to produce their own operating system to their own standards. No matter what certification they come up with, using and outside supplier still allows that supplier to dictate how that operating system functions on basic levels. While this may seem trivial, these basic levels force the networks to be setup a certain way to some extent and if I have to pay the military to protect my worthless ass the least they could do is get off their asses and write their own operating system. When did this change happen, from the government inhousing security matters such as this to outsourcing them to private companies? Maybe I'm ignorant, naive, or hopped up on elmers glue, but I want Big Brother back. Sure he used to beat the pulp out of me, but Bill Gates yanks my pants down in front of the neighbors, runs away laughing and when I pull them up I find my wallet is gone. Bruises heal, and no matter how many web certifications of NT I see, I won't feel safe until I see men with ear pieces outside my windows and silent black helicopters hovering over my house.
Actually the first cert was done through the ITSEC process in Europe. I can testify to this as I was personally involved in the procss, and yet it is not cheap. We are currently involved in a common criteria evaluation under the labeled protection profile (B1) to EAL4. This is the highest level of cert underway with the CC. This includes networking. By the way, it is MLS not BLS. All of our documentation is available online for your review, and the results of the CC evaluation will be in the public as well. I am curious why you seem so surprised? Do you have past experience with the evaluation process (TPEP, ITSEC, or otherwise)? I guess I should stress again, this is the real things. Cheers, Jeff Jeff Thompson Software Evangelist and Visionary Argus Systems Group, Inc. e: thompson@argus-systems.com w: www.argus-systems.com
Argus has ports under way to AIX, UnixWare, and Linux.
Argus Revolution is the online portal where it is being made available from. Free B1 OS, free T-Shirt. What could be better? :)
The biggest hurdle to getting linux on board is getting a DII COE kernel developed for it.
Now for those who don't already know, DII COE stands for Defense Information Infrastructure Common Operating Environment. The project is done by JPL and maintained by DISA.
The DII COE kernel overlays the OS, and provides a common set of utilities and security measures to help administrate a box. The government is a little tired of an application taking up a whole machine, and wanted more flexibility. The DII COE provides a set of tools to do this, providing more security to boot.
And it may one day get to the point where all DOD systems will be expected to run DII COE, and all applications are to be delivered in DII COE's package format. And if that happens, Linux will be locked out.
NT4 is C2 certified, both standalone and networked.
P -CSC-EPL-99-001.html
http://www.radium.ncsc.mil/tpep/epl/entries/TTA
The mainstream Linux community (including the developers that have brought it this far) have no real interest in military-style security. This is one of those cases where the end user (the DoD) should scratch its own itch.
They have the means (money) and the motivation (money + security) to do this themselves or sponsor somebody else's efforts. The result would be an OS that exactly matches their requirements and that they can continue to mold to their own purposes without relying on some vendor.
Of course even if they don't do this some companies will. SGI and IBM have a lot riding on Linux and they need to sell into big government accounts, so they'll take care of it.
It is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail. - Abraham Maslow
The network side, though, is a tad more complex. :) It is posible, for example, using the features in the various trffic shaping tools, to specify that user X has access to 20% of the bandwidth for FTP, 0% for the web, and 5% for ssh. You can further state that the 20% FTP bandwidth is split into 15% for the local server, 5% for the corporate off-site server, and 0% for everything else.
Whilst this does not constrain what the user DOES with the net access that's been granted, they have effectively been given access to named resources at named sites. No other access exists for that user, because they have zero bandwdth to do anything with.
As for the assurance, I can certainly see that side of things. I imagine a group such as SuSE or Debian have the capability and resources to go through their distributions and formally prove it secure. (Red Hat, whilst good at many things, are not number #1 on security holes.)
Alternatively, I can see some group springing up to produce a watertight Linux distribution, specifically designed and tailored to meet the B level classifications. (Might be fun to do that, actually....)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
It's a really neat tool! Horrible interface, though. If someone wants to write a decent interface (even if it just takes a comprehensible /etc configuration file), I am sure that a lot of admins would worship at their feet.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
They're calling it "Orange Linux", after the "Orange Book" that describes the requirements.
Christopher A. Bohn
cb
Oooh! What does this button do!?
Yes, thanks for doing that Tom.
A couple of clarifies...The code known as OB1 is extracted straight from TRIX 6.5.x (our Trusted B1 product).
Its called "Sample Source" since its not a complete B1 product and if it was it could only be compiled into the Irix codebase. We thought it would help those interested in trusted systems if we made some of our code available to provide a "sample implementation" of something that is known to work.
richard.
PS. We were all laughing (well I was) that the first posting described my boss as a gentlemen...
You don't -- but C2 / B1,2,3 or whatever doesn't really help either, because they can't really check the code line for line to make sure there are no bugs. And one stupid bug can screw everything up.
When it comes to classified systems, you need to consider more than the "security classification", which really only serves as a cool bullet in the feature list. You need to consider the vendors track record, especially with regard to security and bugfixing.
SGI is supposed to be working on C2 certification, which they're hoping to get into the mainstream so that pretty much any distro that wants it can be C2-certified, and also B1 or B2, I forget which (whichever one is legal to export). They are doing this specifically because they have reason to believe they can sell Linux to the DoD.
Unfortunately, I can't find anything confirming this on their site -- this is information I picked up at the recent SGI "Linux University" travelling show. If I recall correctly, and they manage to keep to their projected timetable, we should see the C2 Linux become reality sometime later this year, and Bn in 2001.
--
perl -e '$_="06fde129ae54c1b4c8152374c00";
s/(.)/printf "%c",(10,32,65,67,69,72,
$_="06fde129ae54c1b4c8152374c00"; s/(.)/printf "%c",(10,32,65,67,69,72, (74..76),(78..80),(82..85))[hex $1]/eg;
While tripwire is a nice tool (although some people say it's showing its age and there are newer tools now available) what it does is not going to satisfy anything close to C2-level security. Tripwire tells you that someone was messing with your system and by then it's too late (i.e., tripwire tells you that you need to shut the barn door because the theives have stolen your horses).
What our contractor friend is looking for is (I believe) something on the order of access control lists that prevent the touching of the files and directories in the first place. I would think that a kernel module could be written that looks at between user space I/O requests and the filesystem and [dis]allows I/O operations based on the security capabilities granted to the user process. Load the module and your I/O requires properly setup ACLs; unload it and it's back to the garden variety UNIX file permissions (unless you're root, I guess, in case your ACLs are set up incorrectly).
Personally, I would love to see this available on Linux. ACLs and rights identifiers were one of the coolest things (IMHO) under VMS; you could really tailor security far, far better then you could using the simple Read/Write/Execute/Delete access you could set up for objects. Having something like this on Linux (or most Unices, actually) would make it easier to dole out accounts with varying levels of privilege and go a long way toward assuaging those who complain about Unix having a superuser.
--
CUR ALLOC 20195.....5804M
You are right, I was being a bit harsh. I'm sure there are a lot of auditors that are technically inclined. I just haven't run into that many of them. Most of them that I've run into have an accounting background and view computers as just a tool for that purpose. It is worth noting that if your Anderson Consulting in the UK is part of the same Anderson Consulting that is one of the 'big five' in the US, that they are also in the IT consulting business. Undoubtedly people on that side of the business should have a lot more of a technical background than people in the financial/accounting side.
Is it because the Big Five don't know how to spell Linux or is it because they aren't really doing their job?
I work in a big financial IT shop where we have big five auditors in occasionally. From what I've seen the answer to your 'or' question is 'yes'. Most of the auditors that come in are utterly clueless about Windows, let alone anything non-Windows. They can basically muddle about a little in MS-Office and that is about it. I've actually had to help some of them import CSV files into Excel, including helping them figure out how to load files off of a floppy disk and unzip them.
I've also seen them sit down at a SparcStation and be rather puzzled when confronted by the login box... Then turn the power off, watch it reboot and come back up to the same point. At which time I told them 'that isn't a PC'. Blank expression. 'You can't run Outlook or MS-Office on that, it isn't a PC'. Blank expression. 'Use that PC over there'. Auditor shuffles off looking confused...
I would think that the vendor integrity statement problem could be gotten around by purchasing shrinkwrap box versions and then having the vendor of those distributions sign the paperwork the government wants.
Someone should talk to the distribution vendors to see what efforts they could make to add and document C2 auditing to their distributions. I'd think if they thought they could get a significant number of sales to government agencies they would view that as a good investment in resources.
SGI has a site with some sample code and documentation about implementing a B1 secure system over here which may be of interested in this conversation.
I recently linked the web page for SGI's B1 sample implementation on OSS. Here is the URL http://oss.sgi.com/projects/ob1/. You can find some source for a sample implementation.
I'm a little bemused by the extreme concern of DoD in computer security. Granted that they have many secrets to hide and their war-potential to protect. However, I would note that most security breaches are caused by human factors, whether deliberate or accidental. One can point to the example of an ex-CIA director who left incriminating files on a laptop. Also draw the analogy that engineers have concluded that more car safety technology is reaching points of diminishing returns as only 10% of accidents is attributed to mechanical failure and the rest mostly to the idiot behind the wheel (alcohol, road rage, sleepiness, whatever). In the same way I fear that network paranoia (while important and a hard target) is blown out of proportion to the more obvious risks of human failability. I would like to be comforted that the military has on-going *HUMAN* processes to keep improving the quality of their people rather than hoping the next Y2K bug doesn't accidently triggers the nukes. Invest in brains, not silicon bullets.
In a broader view, what is it about technology that foster the simplistic magic pill approach? In any complex situation, after you eliminate the obvious weaknesses, there will be many vulnerable points of attack and more exotic technology in lieu of awareness training could create a false sense of security. Blind faith, whether religion, technology or dogma seems to be a point of hubris.
LL
Me: What is the point of having a cheap bicycle lock that you are absolutely, positively sure will not stand up to a determined attempt to break it?
You: Well, the point is, it stops a casual thief.
No. That answers the question, "What is the point of having a cheap bicycle lock?"
You said there is a place for a system with low security but high assurance. I am trying to figure out what that would be.
In other words, why would you buy a $20 bicycle lock, and then pay $5000 to verify that, yes, it really is a cheap bicycle lock?
Similarly, a situation where you don't do much to prevent people from coming and going, but are sure that their activities are on a security tape (for example, an ordinary bank) calls for low security, high assurance.
I'm starting to see where the confusion is coming from. You're using terms in a different way.
Security is a multi-part thing. Exact definitions vary, but it is generally defined to be the sum of integrity, availability, authenticity, and accountability. Accountability includes audit. In other words, keeping careful track of who comes and goes is a part of security.
Assurance is how sure you can be that the security features of your system actually work as advertised. Not, "Do we know who took the money?" but "How sure are we that this camera we're thinking of buying will do the job?"
I suspect that levels like A1 describe even better assurance than C2 -- but that you can't get credit for those levels of assurance without also having A1 security.
Moving from Class B to Class A is entirely about adding assurance, and not about adding new security features. IIRC, the big thing about Class A1 is that it requires a formal mathematical proof that your security features work.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
FWIW, it seems worthwhile to point out that "Orange Book" classifications are not all that well thought-out. The problem is that they tie increased security to increased assurance.
... it is often useful to have a low-security, high-assurance system ...
:-)
That's right, it does. Think about it. Why do you increase your security? Because you have something more valuable to protect. If it is that much more valuable, wouldn't you also want to know your increased security also works?
It is extremely difficult to establish a high-security system while simultaneously having a high assurance that it is correctly implemented.
Yup. Life is hard.
It is? What is the point of having a cheap bicycle lock that you are absolutely, positively sure will not stand up to a determined attempt to break it?
I honestly can't think of a situation where you would want to pay a lot of money to be sure your security system isn't all that good. If you can think of an example or two, please, enlighten me.
Indeed, if audit is the only really interesting property in this case, it sounds as though low-security (mostly logging) high-assurance (logging cannot be defeated even by 'creative' users) is exactly the solution that is needed.
Congratulations, you just described Class C2 protection.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
I haven't hear much about Linux production environments getting hammered by any of the Big Five during year-end IT audits
Wrong kind of auditing.
DrLunch.com The site that tells you what's for lunch!
It's been a while since I was into all this security stuff, so I'm a bit foggy on what C2 requires in the way of accounting. However, the contractor I work for has had us securing our SGIs according to DoD standards. Now, I don't know whether these conform to C2 or not, but they're very very tight boxes now.
From what I've seen in securing these SGIs, I don't believe I'd have any problems tightening down my Linux boxen at home in the same way. As far as accounting goes, the real issue is that a sysadmin can tell who the physical person is behind that user name. That means getting rid of shared accounts, strengthening passwords, etc.
Granted, you won't be able to get a keystroke by keystroke log of a user's session, but that would be too much information anyway. There are, of course, commands that you'd want to monitor and most of these provide logging themselves (such as 'su'), while it would be easy to write wrappers for other commands that don't provide logging (things like 'chmod' && 'chown').
Again, I don't recall what C2 requires, but I wouldn't be surprised if you could get there with the tools already available.
Hope this helps. And if I'm completely off my rocker, please let me know. I'd always love to learn more.
It is nice that OpenBSD is great and wonderful. However, AFAIK, OpenBSD doesn't have C2 compliant auditing available for it either. I love people who give an answer before reading the question.
Come play Heroes of Might and Magic Mini online.
And ask them if there NT servers are C2 certified.
Using the word certified is simply wrong. That implies a certification body exists. Products are evaluated to meet the standard.
Argus Systems Group, Inc. has announced it's intent to produce a Linux version of it's PitBull compartmentalized OS. PitBull is a B1 certified, compartmentalized version of Solaris (currently Solaris 7) which I have used to much success. While all they have announced is an intent to produce a Linux version, the company moves fast enough that we might see something as soon as a year from now. This isn't exactly ideal, I understand, but in DoD time it isn't that far away.
--
Behold the Power of Cheese!
Your position is known, contemptously, as "security by assertion."
You *assert* that the intl kernel patches (which I know and use) are adequate, complete, and correctly implemented.
You *assert* that iptools2 are adequate, complete, and correctly implemented.
On and on and on. You sound just like the Microsoft commercials that are equally eloquent at *asserting* my life will be much more pleasant once I toss out my moldy old Debian 2.2 system for Windows 2000.
In fact, I've downloaded and printed out the requirements for C2 and B1 certification, and I've tried to figure out what they really mean. Linux doesn't have everything it could have (e.g., I've played with the idea of an "auditfs" that would record - in a secure manner - *all* calls to the kernel with process/user info and parameters). Linux doesn't have that, yet, but that's the only way to really know who made some sensitive calls.
But beyond the issue of auditing, DACs, MACs, secure login prompt keys, adding security classification levels to the FS (how do you make a directory top secret/categorized? Remember that the specific category is itself classified, so everyone really use large bit fields in practice.), ensuring all external media (paper, tapes, disks, discs, modems, networks, plips, IrDA, and god knows what else somebody has written a kernel module for) properly preserves these classification tags.... beyond all of that, HOW DO YOU KNOW THAT THE SOFTWARE FUNCTIONS AS ADVERTISED?
I agree with you that the assertions - plus my own review of the code when I feel the need - is adequate for my own uses. It's enough for my employers. But classified systems, by definition (hopefully), will be attacked by professional with signficant bankrolls, not bored teenagers or petty-ante criminals. They will contain information that, if misused, could result in the deaths of thousands or millions of people, not just a few annoying bogus credit card charges. The standards of proof must be *far* more strict, and there's no room for wishful thinking or unchallenged assumptions. That's why a formal review and rating is so important for the DoD (and DoE, among others) market.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Did you even look at the link? Especially where it says "The SAIC evaluation team has determined that Windows NT 4.0 with Service Pack 6a and the C2 Update as configured by the Trusted Facility Manual satisfies all the specified requirements of the criteria at class C2."
Also, when you evaluate an OS for C2, you do it on a specified set of hardware. For any OS.
FWIW, it seems worthwhile to point out that "Orange Book" classifications are not all that well thought-out. The problem is that they tie increased security to increased assurance.
It is extremely difficult to establish a high-security system while simultaneously having a high assurance that it is correctly implemented. OTOH, it is often useful to have a low-security, high-assurance system, and the Orange Book doesn't pay much attention to this case.
Indeed, if audit is the only really interesting property in this case, it sounds as though low-security (mostly logging) high-assurance (logging cannot be defeated even by 'creative' users) is exactly the solution that is needed.
Any bugfixes, additions, modifications, kernel patches, etc. produced by the DoD are probably under this also. OTOH, they can justify classifying just about anything as SECRET. Because of their ability to classify, DoD is a poor test case for Linux in government.
I think that the GPL is incompatable with section 105 for a number of reasons. Of course if they just add things to the stock kernel and redistribute the mods separately, there is no problem.
Title 17 Section 105 just says that works created by the government are public domain and can not be copyrighted. That government pamphlet that you received with your census form is public domain and can not by copyrighted. You can print and give away or sell as many copies as you want.
There is no problem at all from government employees maintaining their own Linux systems. There is no problem with the government making their own customizations of the stock Linux kernel. They may not be able to distribute them outside of the government, but that's not their job. So what if the DoD classifies tham SECRET if they can't be distributed legally anyway?
Now, how is this incompatible with the GPL?
Anomalous: inconsistent with or deviating from what is usual, normal, or expected
Anomalous: deviating from what is usual, normal, or expected
Canard: a false or unfounded repor
If they need auditing, try to ask them WHAT should be audited. It would be an easy task to use PAM (= Pluggable Authentification Module) and add logging to that.
And ask them if there NT servers are C2 certified. The funny thing, against any other claim, it isn't (NT 3.5x is certified, but only if it has no disk drive and no network connection...).
If they allow NT, they should allow the use of a more secure OS (like Linux), too. Otherwise, they should remove all of their NT machines.
Really certifying for level C2 costs lots of money, and I'm afraid no one will do that for now (for what reason, anyway?).
You found a sword: +4 damage, +5 moderator points
RSBAC at www.rsbac.de
ob1 at oss.sgi.com/projects/ob1
The RSBAC works but is hard to configure. The ob1 has good docs but does not even run.
I have work on the ALPHA and PPC port.
Shaun Savage
Frankly, with the existing level of control you have in Linux, you should be able to easily walk away with a B1 for a careful installation.
I don't know what the requirements are for a B1, but I'll guess that the four components I've listed form a part of it.
I really can't see the military, for all it's paranoia, needing more extensive security than that. However, if it does, there's always Tripwire and assorted Intruder Detector packages. Not to mention firewalls, honey pots, buffer overflow detectors (or preventors), security auditing packages for ensuring that trivial holes are closed off, etc. Even the quota system offers some security capability.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Check here and scroll down or search for "auditd".
**>>BELCH
hi,
. html h tml
looks like i may be one of the first to offer a useful post.
SGI is working on getting C2 grade Linux out there. they hope to have it working sometime this year. B2 will follow 18 months or so from that. Orange Linux is the project's name.
the NSA and Secure Computing are working on a C2 grade Linux as well, with source of the stuff to be made publically available due to GPL licensing.
some links:
http://biz.yahoo.com/prnews/000113/ca_secure__1
http://slashdot.org/articles/00/01/13/1029206.s
http://lwn.net/1999/1118/a/sgilinuxuniv.html
/me
jose nazario jose@biocserver.cwru.edu
IANAL am and only familiar with this law within the context of the VRML test suite, the license of which I will now quote:
This software was developed at the National Institute of Standards and Technology by employees of the Federal Governmentin the course of their official duties. Pursuant to title 17 Section 105 of the United States Code this software is not subject to copyright protection and is in the public domain. NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. We would appreciate acknowledgement if the software is used.
Any bugfixes, additions, modifications, kernel patches, etc. produced by the DoD are probably under this also. OTOH, they can justify classifying just about anything as SECRET. Because of their ability to classify, DoD is a poor test case for Linux in government.
I think that the GPL is incompatable with section 105 for a number of reasons. Of course if they just add things to the stock kernel and redistribute the mods separately, there is no problem.
The real problem comes from government employees doing maintenance work on Linux.
Then what you have is the software business paying taxes so that the government can write free software and put them out of business.
They should look at BSD. It is very close to public domain. If anybody tries to touch this section of the Federal law to make an exception for Linux, I will be marching down to see my congressman so quickly to let him know that it is wrong, Wrong, WRONG!!!
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Yep, It's being replaced by the common criteria, a joint product of Europe, Canada and the US. It's just been recently standardized into an ISO. These sites should be public:
Common Criteria Project at NIST
Trusted Product Evaluation Program
Elegance is for tailors. -A. Einstein
I'm not so sure you understand just what Mandatory Access Controls really are.
:-)
Unix traditionally has Discretionary Access Controls. I, as jruser, can grant or deny permission to other users to view my files as I see fit. If I want to "chmod o+rwx ~/.rhosts", I can do that.
Under Mandatory Access Control, however, if I don't have permission to give away a file, I can't do it, even if I want to. In other words, I may not have the right to do a "chmod o+rwx".
AFAIK, none of the features you describe enforce MAC. True, if the user doesn't have access to the network, they won't get out, but once they are granted the network connection, you have no say in what they use it for.
There is quite a bit of stuff regarding "security labels" in B1. Any storage object in the system (disk file, block of memory, etc.) gets assigned a label which describes its sensitivity and category in the organizational hierarchy. Mapping that into traditional Unix security mechanisms would be messy at best.
Possibly more importantly, once you start getting into the B levels, you find as much emphasis being placed on assurance as features. In other words, it isn't enough to say that Linux provides such-and-such, you actually have to officially prove that it does, document that proof, and find someone to sign off on it.
The Orange Book and Unix doesn't exactly line up one-to-one.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
lsof: [Description] Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system.
and
CASL [Description] Custom Auditing Scripting Language (CASL) implements a packet shell environment for the Custom Auditing Scripting Language that is the basis for the Cybercop(tm) line of products by Network Associates. The CASL environment provides an extremely high performance environment for sending and receiving any normal and/or morbid packet stream to firewalls, networking stacks and network intrusion detection systems as well as being sufficiently rich of a language to write honeypots, virtual firewalls, surfer hotel, phantom networks and jails.
Your answer is OpenBSD. I'm not sure of the certification level, but here's a quote from a recent interview with OpenBSD's project head, Theo Deraadt:
"OpenBSD is so secure that it even got the attention of the U.S. Department of Justice, which stores and transmits top-secret data using 260 copies of the OS."
The full article is here.
--Bob
I attended a Linux University workshop from SGI last Friday and at the Linux Security breakout session, the gentleman from SGI who does a lot of work with the NSA and the government said that SGI is working on making Linux C2 and B1 compliant. These should be finalized sometime next year. Auditing is one of the components that still needs to be worked on just to make Linux at least C2 compliant.
For the B1 compliancy, there has to be further security checks (like mandatory security access on the FS)
A lot of this good stuff will be coming from IRIX, which has been pretty secure in and of itself.
We should be seeing a lot of security added to Linux this year.
Fialar
The second project you may want to consider is that SGI is building an "orange book" Linux, with a goal of C2 by October, and B1 by next spring.
Note that this question was posted to Slashdot last year so you probably want to go check out the responses there.
Finally, while I'm here, I'll plug my own security-hardened Linux distro: Immunix. Immunix is not TCSEC compliant or anything like that. Rather, it is designed to be extremely difficult to break into, while preserving a high degree of Linux compatibility. Currently, it is just Red Hat hardened with StackGuard, but we will be releasing additional security technologies shortly.
Crispin
-------
CTO, WireX Communications, Inc.
Immunix: Free hardened Linux