laf@mbunix.mitre.org (12/11/90)
I remember hearing recently that some company was working on making A/UX "secure". Does anyone have any information on this? Thanks, Lee laf@mbunix.mitre.org
rcsmith@anagld.analytics.com (Ray Smith) (12/11/90)
laf@mbunix.mitre.org writes: >I remember hearing recently that some company was >working on making A/UX "secure". Does anyone have >any information on this? >Thanks, >Lee >laf@mbunix.mitre.org Lee, I don't know if this is the one you heard about but here is a copy of SecureWare's Evaluated Products Listing (EPL) listing from the NCSC. -Ray ---------------------------------------------------------------------- BEGIN INCLUDED MESSAGE ---------------------------------------------------------------------- [0163] (114 lines) Lanenga.CPE 07/10/90 1552.4 edt Tue epl Subject: SecureWare CMW+ Product Bulletin Product Evaluation Bulletin REPORT NO: CSC-PB-002-90 AS OF: June 1990 PRODUCT: Compartmented Mode Workstation Plus VENDOR: SecureWare, Inc. CANDIDATE CLASS: B1 PRODUCT DESCRIPTION: SecureWare's Compartmented Mode Workstation Plus (CMW+) Version 1.0 is a multilevel secure version of Apple Computer's A/UX Release 1.1 for the Macintosh IIx and Macintosh IIcx workstations. It incorporates trusted versions of the X Window System 11R3 and the OSF/Motif Window Manager 1.0. CMW+ is a general-purpose, multi-tasking operating system with a windowing environment. It adds the security and functional enhancements required by the Trusted Computer System Evaluation Criteria (TCSEC) to A/UX, the X Window System and the OSF/Motif Window Manager. PRODUCT STATUS: CMW+ was developed, and is marketed and supported by SecureWare. Version 1.0 for the Macintosh IIx and Macintosh IIcx workstations will be released in October 1990. SECURITY EVALUATION STATUS: A formal evaluation of CMW+ commenced in June 1990 and is scheduled for completion in the fourth quarter of 1990. CMW+ will be evaluated against the TCSEC as a B1 system (Labeled Security Protection). At the completion of the evaluation, a final evaluation report will be published by the National Computer Security Center, and CMW+ will be placed on the Evaluated Products List. In conjunction with the TCSEC evaluation, CMW+ is also being evaluated against the Compartmented Mode Workstation (CMW) requirements of the Security Requirements for System High and Compartmented Mode Workstations (CMWREQs). At the completion of the CMW evaluation, CMW+ will also be placed on the TCB Extensions List as a CMW. The TCB Extensions List will be available in future publications of the Information Systems Security Products and Services Catalogue. A Product Bulletin does not assign any rating to a product. It merely establishes the candidate class, which is the highest class the system could attain when the formal evaluation is complete. As with all evaluations, a system must complete the formal evaluation phase before being assigned any rating. ENVIRONMENTAL STRENGTHS: CMW+ is designed to provide security for environments requiring trusted desktop data processing. In addition to providing the traditional user specified access controls (i.e., discretionary access controls) through protection bits, CMW+ provides access control lists, which provide a more flexible user specified access mechanism, and mandatory access control, to control the distribution of information protected by the system to only those users who have been authorized for the information. The mandatory security policy is consistent with the Bell-La Padula model and conforms with Department of Defense policy. In addition, CMW+ provides an information labeling policy on the information contained in objects. A virtually unlimited number of classifications and compartments are supported. CMW+ provides user identification and authentication through usernames and passwords, and individual accountability through its auditing mechanisms. The authentication features of CMW+ comply with the guidelines recommended in the DoD Password Management Guideline, CSC-STD-002-85. The auditing mechanism is controlled from a Motif-based interface and supports pre and post-selection by user, group, event and sensitivity level range. The trusted X server and trusted Motif window manager provide a trusted path mechanism for login and for performing all security-relevant functions. The security policies have been implemented using X protocol extensions in a binary backwards-compatible manner. The system supports three separate privileged user roles as defined in the CMWREQs for maintaining the system: System Administrator, Information System Security Officer (ISSO) and Operator. Motif-based programs are provided for the System Administrator and ISSO to enable them to easily administer the audit subsystem, user accounts and the device subsystem. CMW+ supplies a privilege mechanism and a number of discrete privileges that may be used to implement the principle of least privilege. CMW+ also supports configurable command authorizations on a per user basis to limit access to various commands. CMW+ is delivered with a number of programs which may be used to reduce the likelihood of data compromise in the event of a system failure. CMW+ can transfer data, including all security attribute information, to and from other SecureWare based systems via removable media. SecureWare has designed CMW+ to be compatible with many other systems that are available in the marketplace. * CMW+ is a trademark of SecureWare, Inc. * Macintosh and A/UX are registered trademarks of Apple Computer, Inc. * Motif is a trademark of Open Software Foundation, Inc. * The X Window System is a trademark of the Massachusetts Institute of Technology ---------------------------------------------------------------------- END OF INCLUDED MESSAGE ---------------------------------------------------------------------- -- Ray Smith | Analytics, Inc. rcsmith@analytics.com | 9891 Broken Land Parkway {uunet,aplcen,wb3ffv,sundc}!anagld!rcsmith | Columbia, MD 21046 RCSmith@DOCKMASTER.NCSC.MIL | 301-381-4300
alexis@panix.uucp (Alexis Rosen) (12/12/90)
In article <127213@linus.mitre.org> laf@mbunix.mitre.org writes: >I remember hearing recently that some company was >working on making A/UX "secure". Does anyone have >any information on this? Yes. Secureware makes it. I don't know their address or number offhand, but you can probably find it in a Unix magazine. Falcon sells it, but only (I think) to the federal gov't. The folks at AFSG (Ron?) may know all about it. I believe it's B1, maybe B2 secure. --- Alexis Rosen Owner/Sysadmin, PANIX Public Access Unix, NY {cmcl2,apple}!panix!alexis