Subject: Big picture: acls, auditing, interoperability, CC
To: None <tech-kern@netbsd.org>
From: Andrew van der Stock <ajv@greebo.net>
List: tech-kern
Date: 03/13/2001 22:53:31
Whilst we're on the subject of security improvments, we need to look at
Common Criteria. The BSD way to me is to get the security model right, based
upon open standards which allows us to be technically superior (or just
correct :-) to the other alternatives.

(This is a vastly simplified form of CC evalulation): CC is a set of
standards, and systems (TOE) are evaluated to a range of criteria chosen by
security requirements for that site. In each subject area, the level of
rating a system has been tested to is compared to site security objectives.
If they do not meet up, then the system does not pass the evaluation. But to
get even a part way through an unclassified site's security requirements,
you need some basic security controls. It's time to get into the 1980's
people.

NetBSD needs* ACLs, mandatory access control, and auditing on top of the new
equivalent of the old TCB. If there are people prepared to code, I'm
prepared to help, or let's start porting the stuff in TrustedBSD to NetBSD.

ACLs:

NFS v4 supports ACLs, which can work like POSIX or NTFS ACLs
Samba would like NTFS-style ACLs, and preferably the same API as Linux uses,
no matter how broken
NTFS has ACLs which are dissimilar to POSIX ACLs, but NFSv4 can emulate this
mode
POSIX 1e (abandoned draft, deprecated) has ACLs which many Solaris admins
are familiar

CC Mandatory access control requires all objects to have ACLs, and every
object checked before use. Therefore, it is possible to have a null ACL, so
there must be space for zero entry ACLs, with a particular semantic meaning.
It is better if this is cached when the object is first used.

References:

Common Criteria Homepage:

http://csrc.nist.gov/cc/

CC standards (ISO standard 15408-[1,2,3]:1999)

Intro & General Model
http://csrc.nist.gov/cc/ccv20/p1-v21.pdf
Functional Requirements
http://csrc.nist.gov/cc/ccv20/p2-v21.pdf
Assurance Requirements
http://csrc.nist.gov/cc/ccv20/p3-v21.pdf

Andrew van der Stock, Security Architect
ajv@greebo.net

* companies and agencies requiring systems for CC evaluation will not be
able to use non-CC operating systems unless they have a really lax site
policy. This is not likely to be the case as CC evals cost $$$,$$$.