Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!seismo!mcvax!ukc!eagle!icdoc!cam-cl!scc
From: scc@cl.cam.ac.uk (Stephen Crawley)
Newsgroups: comp.unix.wizards
Subject: Re: UNIX classified operation - (nf)
Message-ID: <735@jenny.cl.cam.ac.uk>
Date: Wed, 15-Jul-87 20:58:17 EDT
Article-I.D.: jenny.735
Posted: Wed Jul 15 20:58:17 1987
Date-Received: Fri, 24-Jul-87 01:41:56 EDT
References: <175@uw-apl.UUCP> <8300007@iaoobelix.UUCP>
Reply-To: scc@cl.cam.ac.uk (Stephen Crawley)
Organization: Univ of Cambridge Comp Lab, UK
Lines: 48

>> In article <8737@tekecs.TEK.COM>, snoopy@doghouse.gwd.tek.com (Snoopy) writes:
>> Suppose I break into Ollie North's home directory and tar(1) it all
>> to a file in my home directory. That logs one open(2) call for each
>> file, and one open() call for the creation of the file in my home
>> dir. Now, however, I have *one* file that is really an unknown
>> number of classified files. Any further operations performed on it
>> will seem to be working on one file.
>>
>> Obviously, the above example is a braindead example off the top of
>> my head (the pointy part), but you get the idea. It's too easy to
>> mess up your tracks as far as what you're doing and where.

I'm not sure I DO get the idea ... 

In logging the open("/usr/ollie/secret", R) the security system has
recorded the fact that you have breached security for that particular
file, and that you have (probably) read it.  Unless you were logged
via a terminal in a secure room, and the a security guard strip
searched you on the way out (to check for minature cameras, etc), the
authorities must assume that you could still have a copy somewhere
even if they can guarantee that they have found all of your online
copies.

In short, your messing up your tracks doesn't help you at all and
it only hinders the "fire fighters" a bit.

It is a different matter if you are talking about person A with
legitimate read access to a file leaking a copy to person B who is
on the other side.  A secure system would need to do far more than 
logging file access to detect that sort of thing!

In article <8300007@iaoobelix.UUCP> woerz@iaoobelix.UUCP writes:
>> /***** iaoobelix:comp.unix.wiz / osiris!mjr /  7:04 pm  Jun 19, 1987*/
>... consider dump. It opens the raw device of the disk and
>copies the raw block to tape or to another location. I think it is
>nearly impossible to protect someone from reading the raw disk under
>UNIX. You can write a log entry from dump, but I think you cannot
>protect against someone reading the raw disk with his own programs.

The first thing a security conscious UNIX system administrator
would do would be to set the access on the raw (and block) device 
files for the disc so that it can't be read by mere mortals.  Then
he would do the same for /dev/kmem etc ...

-- Steve

Disclaimer: I don't know what I'm talking about, but sometimes I
	    listen to people who do.