Hi Darren, thanks for your comments. Darren J Moffat wrote: > LingBo Tang wrote: >> Hi all, >> >> I have one question about Secure Attention Key(SAK) in Solaris: >> >> Why solaris does not implement SAK for trusted path in console mode? > > Resources and that fact that it isn't actually necessary to meet the > protection profiles we are using for the common criteria evaluation. > >> My current understanding is that we can log into non-global zone >> from "command line login" without X system if there is a trusted path >> mechanism. And the trusted path can be invoked by SAK sequence. >> Is this right? Your comments are really appreciated. > > I don't think we need SAK to do this what we need is a way of attaching > the zone console to one of the new virtual consoles. Now if we also had > SAK that would be great. >
Even the zone console can be attached with a new virtual console, because the end user can re-map the key sequence, we still have secure issue while switching to a console (or zone console) in text mode. >> During working on hot key sequences for virtual console switching, >> I'm thinking whether we can have a solution for un-remapped sequences >> for secure purpose or not. >> If the sequence can not be remapped, does it mean we can take advantage >> of the implementation for SAK sequence? I suppose there should be other >> requirements for SAK. Could you please please give me some clues or >> reference? Thanks so much! > > There are, I'd highly recommend talking to Gary Winiger and Glenn Faden > about this I believe Gary has a good reference for this and has actually > spend some time thinking about it. > >> From google, we can easily find out the description for SAK in Linux >> kernel, and which also mentioned that SAK in Linux have not meet >> C2 requirements without clear reason. > > C2 is a very old and now no longer relevant security standard. Also a > SAK was never required in C2 anyway. Trusted Solaris 1.2 (based on > SunOS 4.1.3_U1) achieved an ITSEC (predecessor to Common Criteria for > some countries) evaluation under the CMW spec which was a mix of C2,B1 > and some stuff from B2 as well and it never required us to implement a > SAK. They way that was avoided I believe was to not allow console > login, this is also the approach that was taken for Trusted Solaris 8 > which got CC eval to EAL4+ under LSPP,CAPP,RBACPP (which is roughly > similar to the old CMW spec). > I see. Thanks for your introduction. > Now given that with Trusted Extensions we do not disable the command > line login option for dtlogin we might want a SAK capability to allow > cli login on the console at a non Trusted Path (ie global zone) label. > > Does it make any sense to run Trusted Extensions on server machines who may not have X system, like data server? I like to use a server to store all sensitive data in central location, and share with different users with TX functionality. Regards, Lingbo
