Session recording
Tom Buskey
tom at buskey.name
Mon Mar 31 16:12:14 EDT 2008
On Mon, Mar 31, 2008 at 3:50 PM, Ben Scott <dragonhawk at gmail.com> wrote:
> On Mon, Mar 31, 2008 at 3:35 PM, Dan Coutu <coutu at snowy-owl.com> wrote:
> > Sounds to me like you need the kind of security auditing that is found
> > in DoD administered machines.
>
... useful stuff deleted...
>
>
>
> FWIW and FYI:
>
> The old NSA rainbow book security levels aren't in vogue anymore,
> and tend to be considered obsolete. These days, it's the Common
> Criteria standards, and I seem to recall that some vendor got flavor
> of Linux put on some CC list.
NISPOM and Chapter 8 specifically. The Rainbow series are not used.
There is lots of interpretation in meeting the "standard" and YMMV.
> Ultimately, all those standards are about having a system in which
> one can define the protections one needs, and evaluate a given system
> configuration to see if it meets those needs. It's up to the user to
> use the standards appropriately. As I saw one wag put it, "You can
> shit in a box and get that accredited, as long as you write your
> Protection Profile for it".
As long as the auditor agrees with your Protection Profile.
Put another way: Windows 98 could be and often was accredited for
> DoD classified use. You just had to lock the computer up in a safe
> when you weren't using it. :-)
FAISSR has 95/98. You have a login banner. It is not capable of any other
security features.
I'd guess that the only way to allow a 95/98 system is to put it in a locked
room with only the user and the security officer allowed in. Oh - and no
networking to the outside room.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20080331/4c2c7c76/attachment.html
More information about the gnhlug-discuss
mailing list