Newsgroups: alt.security From: prl@iis.ethz.ch (Peter Lamb) Subject: Re: C2 Message-ID: Organization: Swiss Federal Institute of Technology (ETH), Zurich, CH References: <486@trwacs.UUCP> Date: 10 Feb 92 14:57:18 GMT epstein@trwacs.UUCP (Jeremy Epstein) writes: >In article , stevew@helios.unl.edu (Steve Wu) writes: >> >> I am runnung SunOS 4.1.2 and I am going to run C2 on it. >> >> Has anyone had any comment about Sun C2? I would like to know about it. >Just a warning: Sun's C2 system is *not* really C2. It does not meet >the TCSEC C2 requirements, has never been submitted for evaluation, >and from what I hear Sun has no intention of ever getting it evaluated. It's no hearsay. "Note that SunOS C2 security features differ slightly from what would be required for an NCSC-evaluated C2 system; it has not been, and will not be, submitted for NCSC evaluation." SunOS "System and Network Administration", Ch. 19, p613, "Administering C2 Security", Sec. 19.2 "What is C2 Security?", Sun PN 800-3805-10, Revision A of 27 March, 1990. (Manual set distributed with SunOS4.1) >All of which means that it may offer some degree of security, but probably >less than an evaluated system. Calling it C2 is a misnomer, although >that's what Sun does. Indeed. The Sun manual even appears to contradict itself on this on the previous page: "The following are the seven NCSC security criteria: [...] C2 Auditing and Authentication. [...] (For example, SunOS Release 4.1 with the Security option installed)". ibid., p612. Peter Lamb (prl@iis.ethz.ch)