Re: C2 Certification

To: "Jasmine Chan" <ychan@iiginc.com>
Cc: info@linuxcare.com, debian-user@lists.debian.org, mummert@murphy.debian.org
Subject: Re: C2 Certification
From: Carl Mummert <mummert@cs.wcu.edu>
Date: Tue, 27 Jul 1999 20:13:59 -0400
Message-id: <"oAfM5C.A.T-C.9ukn3"@murphy>
In-reply-to: Message from "Jasmine Chan" <ychan@iiginc.com> of "Tue, 27 Jul 1999 17:56:21 EDT." <[🔎] 852567BB.007924AC.00@smtp.iiginc.com>

>     My name is Jasmine Chan and I was wondering which packages of Linux is C2
>Certified.  And if they are not, is there any steps taken to make Linux C2
>certified.  Thanks in advance for your help.

As I understnad it, C2 certification must be granted by a certifiacation
authority; there is no checkliust that a developer can go over in order
to declare his own code C2.  

Of course, you have to _pay_ to get someone to test your system to 
see if it is C2 secure.

There are several things that (AFAIK) Linux does not do that C2 requires. 
ALso, there are some things about unix that must be disabled before C2
could ever be reached.   The fact that root cannot be locked out of any file
is a definite no-no ; C2 does not have a 'superuser' concept.  The kernel 
must actively prevent one uer from seeing any of another user's data-
this means cleaning deleted filers from the HD, bzero'ing memory when a
process terminates (or when the memory is allocated, obviously), etc.
I believe that 'su' is also agains thte grain of C2.

In short, if you _require_ C2, then you won't be able to use Linux any 
time soon.  

Carl

Reply to:

References:
- C2 Certification
  - From: "Jasmine Chan" <ychan@iiginc.com>

Prev by Date: Re: C2 Certification
Next by Date: Reading NNTP and local news with trn
Previous by thread: Re: C2 Certification
Next by thread: Re: C2 Certification
Index(es):
- Date
- Thread