Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!seismo!mcvax!ukc!eagle!icdoc!cam-cl!scc From: scc@cl.cam.ac.uk (Stephen Crawley) Newsgroups: comp.unix.wizards Subject: Re: UNIX classified operation - (nf) Message-ID: <735@jenny.cl.cam.ac.uk> Date: Wed, 15-Jul-87 20:58:17 EDT Article-I.D.: jenny.735 Posted: Wed Jul 15 20:58:17 1987 Date-Received: Fri, 24-Jul-87 01:41:56 EDT References: <175@uw-apl.UUCP> <8300007@iaoobelix.UUCP> Reply-To: scc@cl.cam.ac.uk (Stephen Crawley) Organization: Univ of Cambridge Comp Lab, UK Lines: 48 >> In article <8737@tekecs.TEK.COM>, snoopy@doghouse.gwd.tek.com (Snoopy) writes: >> Suppose I break into Ollie North's home directory and tar(1) it all >> to a file in my home directory. That logs one open(2) call for each >> file, and one open() call for the creation of the file in my home >> dir. Now, however, I have *one* file that is really an unknown >> number of classified files. Any further operations performed on it >> will seem to be working on one file. >> >> Obviously, the above example is a braindead example off the top of >> my head (the pointy part), but you get the idea. It's too easy to >> mess up your tracks as far as what you're doing and where. I'm not sure I DO get the idea ... In logging the open("/usr/ollie/secret", R) the security system has recorded the fact that you have breached security for that particular file, and that you have (probably) read it. Unless you were logged via a terminal in a secure room, and the a security guard strip searched you on the way out (to check for minature cameras, etc), the authorities must assume that you could still have a copy somewhere even if they can guarantee that they have found all of your online copies. In short, your messing up your tracks doesn't help you at all and it only hinders the "fire fighters" a bit. It is a different matter if you are talking about person A with legitimate read access to a file leaking a copy to person B who is on the other side. A secure system would need to do far more than logging file access to detect that sort of thing! In article <8300007@iaoobelix.UUCP> woerz@iaoobelix.UUCP writes: >> /***** iaoobelix:comp.unix.wiz / osiris!mjr / 7:04 pm Jun 19, 1987*/ >... consider dump. It opens the raw device of the disk and >copies the raw block to tape or to another location. I think it is >nearly impossible to protect someone from reading the raw disk under >UNIX. You can write a log entry from dump, but I think you cannot >protect against someone reading the raw disk with his own programs. The first thing a security conscious UNIX system administrator would do would be to set the access on the raw (and block) device files for the disc so that it can't be read by mere mortals. Then he would do the same for /dev/kmem etc ... -- Steve Disclaimer: I don't know what I'm talking about, but sometimes I listen to people who do.