SCO UNIX is not "C2" (was: Re: SCO's C2 came to the rescue!!!)

John F Haugh II jfh at rpp386.cactus.org
Tue Dec 18 06:59:57 AEST 1990


In article <2371 at edat.UUCP> brian at edat.UUCP (brian douglass personal account) writes:
>My system was also locking up unexplainably every day.  Turned
>on the audit control system and found out that a uucp account from 
>another system that calls in had expired.  Issued a new password
>and had the other site change their Systems entry, everything was great!

Yet Another Reason To Avoid SCO UNIX -

If it isn't as easy to properly configure the audit system as it is
to improperly configure the audit system, the vendor (SecureWare)
needs to be fired.  In fact, 2.2.2.2 REQUIRES that the system be able
to selectively audit events -

	"The ADP system administrator shall be able to selectively
	 audit the actions of any one or more users based on
	 individual identity."

and 2.2.4.2 -

	"The procedures for examining and maintaining the audit files
	 as well as the detailed audit record structure for each type
	 of audit even shall be given."

The use of an invalid or expired account should be logged separately
and easily determined.  You should not have to turn auditing on just
to discover that someone is logging in with an invalid password.  That
SCO UNIX is deficient in this regard is clear evidence as to what
happens when your product is "designed to meet C2" and not "C2".  The
work that the NCSC does to certify a product is far more technically
oriented than the work it takes for a marketroid to declare that a
product is "designed to meet C2".

Just another shameless plug - the login package I've been writing for
the last 3 years now includes syslog() support, as well as two other
mechanisms for doing exactly this type of program debugging.  Just say
"no" to oppressive and ill-designed "pseudo" security designs!
-- 
John F. Haugh II                             UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 832-8832                           Domain: jfh at rpp386.cactus.org
"While you are here, your wives and girlfriends are dating handsome American
 movie and TV stars. Stars like Tom Selleck, Bruce Willis, and Bart Simpson."



More information about the Comp.unix.sysv386 mailing list