Re: C2 Certification
from http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html
"The Trusted Computing Base (TCB) of a class (C1) system nominally
satisfies the discretionary security requirements by providing separation
of users and data. It incorporates some form of credible controls capable
of enforcing access limitations on an individual basis, i.e., ostensibly
suitable for allowing users to be able to protect project or private
information and to keep other users from accidentally reading or
destroying their data. The class (C1) environment is expected to be one of
cooperating users processing data at the same level(s) of sensitivity."
and
"Systems in this class enforce a more finely grained discretionary access
control than (C1) systems, making users individually accountable for their
actions through login procedures, auditing of security-relevant events,
and resource isolation."
Orange booke certification is a testing process of a hardware and software
combination - the whole system has to interact to provide all of the
required security of the rating. This means that the kernel and drivers
cannot allow direct interaction between a user and hardware, things like
that. The requirements are all at that website, in techno-bureaucratic.
Hardware and software can be tested independantly, but not OSes or
complete boxes. lots more on the site...
Mathias
Reply to: