"Apple Common Criteria Tools" Release

[Stridder44]

I'm not too sure what this is exactly, nor if it's even news..Check it out here..

Common Criteria is an internationally approved set of security standards which provides a clear and reliable evaluation of the security capabilities of Information Technology products. By providing an independent assessment of a product’s ability to meet security standards, Common Criteria gives customers more confidence in the security of Information Technology products and leads to more informed decisions.

Security-conscious customers, such as the U.S. Federal Government, are requiring Common Criteria certification as a determining factor in purchasing decisions. Since the requirements for certification are clearly established, vendors can target very specific security needs while providing broad product offerings.

The international scope of Common Criteria, currently adopted by fourteen nations, allows users from other countries to purchase Information Technology products with the same level of confidence, since certification is recognized across all complying nations.

 

[ElDiabloConCaca]

I downloaded it for kicks, and it's an installation package. Ain't going on my system right now, that's for sure. What the hell is it?

 

[Captain Code]

Looks like it'll analyze a program to see if it meets certain security standards.

 

[scruffy]

It is released by Apple - here's their download page
http://www.apple.com/support/downloads/commoncriteriatools_readme.html

It's been a while since I looked at the CC, so I'll probably get the details wrong, but here goes. Bear with me, I will get to what the package is, or at least my understanding of it.

The Common Criteria is basically a framework for making and evaluating very precise claims about the security properties of software, hardware, and operating systems.

Basically, a manufacturer makes a set of claims about the security properties of their product, and the security features it offers. This is known as a Protection Profile (PP). There are a number of "canned" PPs; the one most commonly used is the Controlled Access Protection Profile (CAPP) - this one applies to operating systems, and basically describes the features you would want a multi-user OS to have: users are uniquely identified, they cannot get access to the OS without a password, they can be allowed or denied access to files and other resources, their attempts to access files and resources can be audited by system administrators... Windows 2000, NT 4.0, SuSE Linux, RedHat Linux (I think), Solaris, AIX and a number of others have all been evaluated against CAPP; now Apple has also had OS X evaluated against it.

The manufacturer will describe (again, very precisely) the configuration of the product (here, the OS) - exactly what software is allowed to be installed, what settings of various configuration files must be made, what hardware it is supposed to be running on, etc. The document describing this setup is called the Target of Evaluation (TOE).

An independent company, that has previously been approved as being able to carry out CC evaluations, takes the TOE and the PP, and carries out a series of extensive tests. Again, these tests are precisely defined by the CC framework. Finally, they will determine whether the the claims made in the PP, about the TOE, are credible.

I say "credible", not "true". The report that the company issues will state that they have evaluated the TOE and the PP, and they have a precisely measured amount of confidence that it's right. To put that in CC language, they evaluate the TOE and PP to a (precisely defined) Evaluation Assurance Level (EAL).

In this case, OS X 10.3.6 has been evaluated against CAPP, to EAL 3.

Now, what is the software package all about? To meet CAPP to EAL 3, an OS has to support auditing of a defined set of user actions. Stock OS X doesn't support this, so it would never meet the requirements of CAPP, at least not to EAL 3 (I think EAL 1 doesn't require auditing, but there really isn't much to EAL 1 - it's not going to impress anyone).

I haven't installed the package, but I've looked at the list of included files. It seems that it installs:
- Four programs in /usr/sbin/ - audit, auditd, auditreduce, and praudit - presumably for generating and examining auditing records
- An application in /Applications/Utilities/ called Audit Log Viewer.app
- A set of boot scripts in /etc/security/rc/ - presumably having to do with starting up the audit record programs in /usr/sbin
- A set of manpages for the programs, and for the auditing configuration files

 

[scruffy]

Oh, and I forgot to mention - to security geeks like me, yes it is big news. Thanks for posting it. Lots for me to read...

 

[Cat]

AFAIK the unix audit tools are already there and the package is just the front-end and boot scripts ...

 

[fryke]

Did they make the criteria low enough for Microsoft? If so, I don't see much sense in them...

 

[scruffy]

You're sort of right & sort of wrong, fryke.

The CC addresses mostly the security features that the OS offers, as opposed to the difficulty or ease of bypassing those features. In that regard, Windows 2000 does actually offer some features OS X doesn't - for example, NTFS access control lists give you a lot more control over file permissions than OS X's simple permission bits. Even with the addition of POSIX ACLs in 10.4, NTFS ACLs are still somewhat more flexible than POSIX ones. Not that many people use the added features of NTFS ACLs, as they're a bit complex and easy to get wrong. Similarly, until the release of these tools, OS X didn't offer auditing capabilities.

The other thing to keep in mind is that the TOE is a particular configuration of the OS. And, since the CAPP sets some pretty stringent requirements, manufacturers typically strip the thing way down compared to what you get when you just install straight from a CD.

For example, the OS X configuration requires that you turn off file sharing, web sharing, printer sharing, and so on. The only remote service that can be on is SSH, fast user switching must be off, there's lots of configuration options that you can only set using (somewhat poorly documented) commandline options. And on and on. The Windows CC evaluation was extremely limited, almost to the point of an unusable OS.

The SuSE Linux one was fairly limited also, but not nearly as much as the OS X or Win2K ones (you could run any server you wanted as a non-root user, as long as the information it offered wasn't supposed to be protected by the CC evaluation's protections, but then you couldn't have X windows).

The dumb thing is, lots of organizations put a lot of stock in buying CC evaluated products. Then, in order to make the setup easier to use and administer, they configure them in a completely different way, and turn on all kinds of options that weren't covered by the CC evaluation. But, they still think they've gotten some security advantage from having gotten CC certified software.

One advantage to a CC evaluation, is that you can read the TOE description, and then look at how far away from the described setup you'd have to go before you got a useful computer...

 

[Cheryl]

So to the typical user, what is the advantages of installing it? Should I install it?

 

[DeltaMac]

IMHO, this software is a tool that Apple must make available to all users of their software to qualify to the standards that the CC evaluation program requires. An individual user will not likely have any need to install and use this.If you have a need to use or run the software (your organization or company would require this type of tool), then by all means install it. Certain network security configurations would likely require this type of software.
Will most users need this? Probably not. Can you install it? Why not? Will it cause any problems in the future? Time will tell.
I expect this will come installed with Tiger.

 

[scruffy]

For typical uses - you don't need it.

It might be very useful if you want to investigate the behaviour of an application - see if it's "phoning home", see what files it opens, etc. You could turn on very comprehensive auditing, run the program, and then look over the audit logs. Then you'd likely want to turn the auditing way down - I can see it having a slight performance impact.

In general, it would be useful for an administrator of a lab or office full of Macs. Not particularly useful for home users - unless it's to satisfy your curiosity about how your Mac works.