UNIX logging question.

[Al Donaldson]

In article <3259 at hub.UUCP>, harald at apple.ucsb.edu (Ommang) writes:
> Also, Gary Grossman in "How Secure is Secure", UNIX Review Aug '86, 
> concludes that UNIX does not quite make it to a C2 NCSC rating. 

As I understood, the primary deficiency with standard UNIX at C2 
was documentation: design documentation, user documentation, etc.
To my knowledge, there were no overriding problems in the area of 
identification and authentication.  

The National Computer Security Center (the folks who evaluate trusted 
computer systems) have a Password Management Guideline (CSC-STD-002-85), 
but these are guidelines and recommendations rather than requirements.   
One of the recommendations is that the system record invalid login attempts 
and notify the user (after successful login) of (a) the time of last login 
and (b) number of unsuccessful attempts since then.  

Various computer security vendors are building this sort of capability 
into their UNIX security packages.   I'm not sure what ATT did in their 
System V/MLS with respect to recording unsuccessful logins (I'm too lazy 
to check their brochures..) but it just recently received a B1 rating 
from the NCSC.  Gould received a C2 rating for their UTX-32S some years ago, 
and two companies (Addamax and SecureWare) have security kits for various 
flavors of UNIX.

I think there was something posted to the net (maybe comp.sources.unix?) 
several years ago.  Our system admin installed this package but didn't 
initialize the table that held the number of bad logins for each user..  
So next Monday when people logged in, they got messages of the form

  Last login Friday 28 October 1985 at 8:23 AM; 
  37,538,282 unsuccessful login attempts since then.

Needless to say, this caused some consternation.  :-)

A similar capability is shown on pages 38 and 39 of "UNIX System Security"
by Kochan and Wood (Hayden press 6267-2).

Al