Date: Wed, 6 Oct 2004 14:53:00 -0500 From: David Kelly <dkelly@HiWAAY.net> To: "Jeremy C. Reed" <reed@reedmedia.net> Cc: freebsd-chat@freebsd.org Subject: Re: Department of Defense security levels Message-ID: <54048F84-17D1-11D9-971B-000393BB56F2@HiWAAY.net> In-Reply-To: <Pine.LNX.4.43.0410060748590.23639-100000@pilchuck.reedmedia.net> References: <Pine.LNX.4.43.0410060748590.23639-100000@pilchuck.reedmedia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Oct 6, 2004, at 9:53 AM, Jeremy C. Reed wrote: > I have read some about Common Criteria Evaluation Assurance Levels, > Orange > Book levels, Federal Aviation Administration DO-178B Level A and > others. I've been out of it for 5 years but is my understanding the Orange Book was retired. > I am looking for a quick reference and explanation of security levels > used > for software in the United States. Any good pointers? Only took a few moments with Google to find this: http://www.dynamoo.com/orange/ > Also does any *BSD cover U.S. Department of Defense security levels? > Maybe > SEBSD or TrustedBSD? The old Orange Book level C3 included everything. With C3 all users and persons with physical access are required to have equal or greater clearance and need-to-know as the systems and the data they contain. If networked then all other systems on the network must be the same need-to-know, we called this "stand alone" as systems were physically segregated by project or task. No feature of the OS such as user name, password, or resource ownership is considered a "security feature" in this context. I have run FreeBSD in C3 environments. > If no BSD, what about Linux? Where can I learn more about this? I heard Once Upon A Time someone with deep pockets was pushing a Linux system thru the qualification process aiming for a C1 or B-level. For mere mortals and civilians it doesn't mean a darned thing as nobody but the DoD cares to put up with the hassle. If it passed using a Brand-X motherboard with 386DX33 then that too is what you must use. Once Upon A Time Microsoft made big hay about Windows NT 3.5.1 being C2 or C1. Not exactly true as only one specific configuration made that grade. Without NIC. Without floppy. Without CDROM. Without external reset button. -- David Kelly N4HHE, dkelly@HiWAAY.net ======================================================================== Top-posters will not be shown the honor of a reply.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54048F84-17D1-11D9-971B-000393BB56F2>