Return to BSD News archive
Xref: sserve comp.sys.powerpc:38761 comp.os.linux.misc:43936 comp.unix.bsd.386bsd.misc:55 comp.unix.bsd.freebsd.misc:1240 comp.unix.bsd.netbsd.misc:361 comp.unix.misc:17011 comp.security.misc:14733 comp.os.ms-windows.nt.misc:45964
Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!yarrina.connect.com.au!classic.iinet.com.au!news.uoknor.edu!news.ecn.uoknor.edu!paladin.american.edu!gatech!news.mathworks.com!news.kei.com!nntp.et.byu.edu!news.provo.novell.com!park.uvsc.edu!usenet
From: Terry Lambert <terry@cs.weber.edu>
Newsgroups: comp.sys.powerpc,comp.os.linux.misc,comp.unix.bsd.386bsd.misc,comp.unix.bsd.freebsd.misc,comp.unix.bsd.netbsd.misc,comp.unix.misc,comp.security.misc,comp.os.ms-windows.nt.misc
Subject: Re: WNT security problems (was: Best platform to learn Unix on ?)
Date: 19 May 1995 00:12:48 GMT
Organization: Utah Valley State College, Orem, Utah
Lines: 49
Message-ID: <3pgnq0$lr9@park.uvsc.edu>
References: <ABB885FB96683E495@vader.demon.co.uk> <HR360AK1.95May18154700@tern.csulb.edu>
NNTP-Posting-Host: hecate.artisoft.com
hr360ak1@csulb.edu (Kellie Phung) wrote:
] > Lots of writing by several people...
]
] A few questions about this C1, C2 etc....
]
] 1. Is there a suite to test a systems security level on these standards ?
] Satan doesn't do this....
There is an evaluation process. An evaluation process is not an
automated test suite that goes "kachink" and spits out a rating.
] 2. How does a FreeBSD with DES and Kerberos rate ? Is there a well-known
] number of things to do, starting with turn off fingerd I would suppose,
] that gets you to some rating level ?
An operating system can't rate; only an operating system and
hardware combination can rate. The evaluation is free in the
US but costs in the UK (and is expected to cost in the US at
some future date). You pay for your people to be there and
answer any questions posed by the evaluators.
] 3. Is there a newsgroup/maillist explicitly devoted to security issues.
] Or one where that traffic occurs ?
Look in your .newsrc: comp.security.announce, comp.security.misc,
and comp.security.unix are three.
Personally, I set little store by the evaluation process. I would
prefer a categorization of hardware capability, a rating of hardware
based on that capability, and a rating of OS's on particular
minimally rated hardware.
As it is, even with ongoing RAMP recertification, you can't really
keep the certified system up to date with the current release
versions and nobody want to run the things as a result. Basically
you get to freeze your hardware and software developement and assume
ongoing maintenance in trade for a rating.
It's unlikely that a free OS without at least a not-for-profit
corporation behing it to support the evalaution process would
get rated, and if it did, it would still require physical media
distribution to maintain that rating.
Terry Lambert
terry@cs.weber.edu
---
Any opinions in this posting are my own and not those of my present
or previous employers.