Date: Fri, 23 May 2003 13:55:24 +0200
From: Jakob Oestergaard <jakob@unthought.net>
To: Bernd Eckenfels <ecki@calista.eckenfels.6bone.ka-ip.net>
Cc: linux-kernel@vger.kernel.org
Subject: Re: SNARE and C2 auditing under 2.5.x
Message-ID: <20030523115524.GF21573@unthought.net>
Mail-Followup-To: Jakob Oestergaard <jakob@unthought.net>,
	Bernd Eckenfels <ecki@calista.eckenfels.6bone.ka-ip.net>,
	linux-kernel@vger.kernel.org
References: <200305210642_MC3-1-39D2-5928@compuserve.com> <E19IZE7-0007pz-00@calista.inka.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <E19IZE7-0007pz-00@calista.inka.de>
User-Agent: Mutt/1.3.28i
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 3231
Lines: 69

On Wed, May 21, 2003 at 09:26:15PM +0200, Bernd Eckenfels wrote:
> In article <200305210642_MC3-1-39D2-5928@compuserve.com> you wrote:
> >  Nah, auditing isn't needed to run a secure system.  ;)
> 
> Besides C2 is totally anachronistical, anyway.
> 

Logging is *not* anachronistical.

>From C2: "2.2.2.2 Audit"

"The TCP shall be able to create, maintain, and protect from
modification or unauthorized access. The audit data shall be protected
by the TCB so that read access to it is limited to those who are
authorized for audit data. The TCB shall be able to record the following
types of events: use of identification and authentication mechanisms,
introduction of objects into a user's address space (e.g., fileopen,
program initiation), deletion of objects, actions taken by computer
operators and system administrators and/or system security officers, and
other security relevant events. For each recorded event, the audit reord
shall identify: date and time of the event, user, type of event, and
success or failure of that event. For identification/authentication
events the origin of request (e.g., terminal ID) shall be included in
the audit record. For events that introduce an object into a user's
address space and for object deletion events the audit record shall
include the name of the object. The ADP system administrator shall be
able to selectively audit the actions of any one or more users based on
individual identity."


> Even Windows 2000 now offers some Protection Profiles from the Common
> Criteria EAL4+FLR f?r ControledAccessProtectionProfile(CAPP).

EAL4 means "we're pretty sure the system does X"

It does not say that X is anything remotely related to security.  The
"AL" in EAL is for "Assurance Level", how certain you are that the
system behaves according to specification. It's not about the security
features of your specification.

Ever wondered why Solaris 8 and Trusted Solaris 8 both have EAL4 ?

You say C2 auditing is anachronistical - but NOT EVEN having THAT is
most certainly not a mark of distinction.

And in fact, your average syslog setup is NOT guaranteed to store the
log events as required by C2. Some information is missing, and you do
not have guarantees that events that *are* generated by the system,
actually reach the log.

This is very very far from being impressive.  C2 is not the end all and
be all, but it's auditing requirements are pretty good (for systems that
only have discretionary access controls) and efforts to bring this kind
of auditing to Linux should certainly not be frowned upon.

That's my 0.02 Euro at least

-- 
................................................................
:   jakob@unthought.net   : And I see the elder races,         :
:.........................: putrid forms of man                :
:   Jakob ?stergaard      : See him rise and claim the earth,  :
:        OZ9ABN           : his downfall is at hand.           :
:.........................:............{Konkhra}...............:
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/