[Security_sig] Conf. call minutes 6/10
Makan.Pourzandi at ericsson.com
Mon Nov 1 06:31:40 PST 2004
Sorry for my late answer, I just read your email that's since my main
effort is now on working with SAF related security issues, and then my
time for participating in CGL security has been reduced. Anyway, my
apologies in advance for my sometimes late answers.
Back to your remark, you're right, bear in mind that this my personal
opinion, I believe that there is more and more people believing that
there is more need for a better configuration of the existing security
mechanisms than introducing new security paradigms. I have to say that
this makes sense, actually I remember reading some reports from IBM and
else stating that the first cause of compromise/exploits for servers is
the misconfiguration. As you mentioned, introducing new technologies is
always difficult, for many MAC is directly associated to SE Linux, and
the Fedora experience with SE Linux turned out _not_ to convince people
that SE Linux (for many then MAC) is mature for prime time. Once again,
in my personal opinion, there is need for MAC on some parts of the
cluster, though we should work more to simplify SE Linux administration.
For time being, it seems from what I read across telecoms industry press
that the resources are more put on correctly using the existing security
mechanisms rather than introducing new techniques. Personally, I don't
believe that it's bad for the industry.
IMHO, we will come back to MAC in the future when the maintenance and
administration of SE Linux is more mature (I mention SE Linux instead of
MAC as SE Linux is the most mature product implementing MAC on Linux,
please correct me if I'm wrong?), then we should keep MAC as a priority
for future releases of CGL. But for time being, I don't believe that we
should impose on our admins the difficulties of maintaining SE Linux in
Ed Reed wrote:
> hmmmm...remember, Makan - EAL4 and MAC are completely
> unrelated things.
> MAC is a feature, support for some security policy.
> EAL4 is an assurance level associated with the design, development,
> delivery, installation, and support of the system, whatever
> its functionality.
> For instance, it's quite common for systems supporting the
> Controlled Access Protection Profile (CAPP) to support either
> EAL3 or EAL4 levels of assurance, though they only have
> Discretionary, not Mandatory, Access Controls.
> CGL may well require EAL4 and still not support MAC.
>>>>Makan Pourzandi <Makan.Pourzandi at ericsson.com> 06/10/04 6:07 pm >>>
>>Emily: MAC is in CGL spec w/ priority level 3. Is this required?
> I remember in the Market Requirement Document (MRD) for CGL 3.0 which
> was sent to the cgl-specs mailing list several months ago, there was a
> requirement to support EAL 4 for cgl 3.0. What happened to that
> requirement? Am I right to think that if we want to support that
> requirement we should have MAC?
> I believe that requirement has been added to MRD because many
> governments ask for EAL 4 compliance for "important" systems (included
> many carrier grade servers). Am I right to think so or it's not yet
> implemented in the facts?
> Makan Pourzandi,
> Ericsson Research Canada
> *This email does not represent or express the opinions of Ericsson Inc.
> security_sig mailing list
> security_sig at lists.osdl.org
Makan Pourzandi, Open Systems Lab
Ericsson Research, Montreal, Canada
*This email does not represent or express the opinions of Ericsson Inc.*
More information about the security_sig