shwake@raysnec.UUCP (Ray Shwake) (02/16/91)
wengland@stephsf.stephsf.com (Bill England) writes: > As for the Uucp I believe that having strict C2 requires NOT using > UUCP and disallowing ftp. I'm not sure if TCP/IP would be > considered a C2 security violation and even running an xterm may > be a problem. I don't think this is true, at least in the case of UUCP. What, after all, is the difference between a uucp login and a user login? Both operate under the various discretionary access controls, audits, etc. associated with C2. FTP may be another story however. ----------- uunet!media!ka3ovk!raysnec!shwake shwake@rsxtech
wengland@stephsf.stephsf.com (Bill England) (02/20/91)
In article <249@raysnec.UUCP> shwake@raysnec.UUCP (Ray Shwake) writes: >wengland@stephsf.stephsf.com (Bill England) writes: > >> As for the Uucp I believe that having strict C2 requires NOT using >> UUCP and disallowing ftp. I'm not sure if TCP/IP would be [...] > >I don't think this is true, at least in the case of UUCP. What, after all, >is the difference between a uucp login and a user login? Both operate under >the various discretionary access controls, audits, etc. associated with >C2. FTP may be another story however. Well I knew I did not just pull that bit about Uucp out of a hat, here is the referance ... In the operating system release notes for SCO ODT pre-availability release, on page 4 in section 1.4 'Packages In This Set' there is a footnote to the UUCP package. "The SCO UNIX Operating System Release 3.2 is designed to meet the requirments of the C2 level of "trust" as defined by the "Trusted Computer System Evaluation Criteria", also known as the "Orange Book". If you plan to follow these guidelines, those software packages marked by an asterik must not be installed on your system. By not installing these packages you can ensure that your system operates at a greater level of security." Obviously this is incomplete, and I can't think of a more useless piece of equipment than a Unix box without Uucp or other networking. Also, this may have changed since the EAP release as I have not been able to finde a similar referance in the newer documentation. Certainly what is said above about not including Uucp if you want more security is true. For one thing it precludes others from executing remote jobs on your system and keeps your data from leaking out accross the telephone lines. Is UUCP inscure for other reasons? Are there Trogens in UUCP that have not been removed? What exactly does the "Orange book" say about Uucp and networking in general? -- +- Bill England, wengland@stephsf.COM -----------------------------------+ | * * H -> He +24Mev | | * * * ... Oooo, we're having so much fun making itty bitty suns * | |__ * * ___________________________________________________________________|
rhealey@digibd.com (Rob Healey) (02/22/91)
In article <249@raysnec.UUCP> shwake@raysnec.UUCP (Ray Shwake) writes: >wengland@stephsf.stephsf.com (Bill England) writes: >> As for the Uucp I believe that having strict C2 requires NOT using >> UUCP and disallowing ftp. I'm not sure if TCP/IP would be >> considered a C2 security violation and even running an xterm may >> be a problem. > >I don't think this is true, at least in the case of UUCP. What, after all, >is the difference between a uucp login and a user login? Both operate under >the various discretionary access controls, audits, etc. associated with >C2. FTP may be another story however. > If I remember my original purusing of the manuals, ANY form of networking on the machine invalidates C2 specifications... Either UUCP or TCP would disqualify the system as C2. Did SCO ACTUALLY have this system checked and validated for C2 by the feds? Or are they pulling a SUN and only saying it COULD be C2? -Rob