Libro naranja
chuso
¿Alguien sabe dónde se puede conseguir?
Un saludo.
GARCIA OCHOA MARCOS
: ¿Alguien sabe dónde se puede conseguir?
El de la seguridad de los sistemas informaticos? Estara en alguna biblioteca
(en Palencia lo tenemos, asi que...)
--
Ta otro post...
Marcos (cualquier parecido con la coincidencia es pura realidad)
SoNNy
Por si te sirve y a ti y a alguno más.. Extraído de la página personal
de un colega. Secciones: libro naranja y los libros de colores.
----------------------------------
LIBRO NARANJA
----------------------------------
Para valorar la seguridad de un sistema operativo se sigue un estandar
creado por el Departameto de
Defenfa ( DoD ) de los EE.UU. publicado en un documento conocido como
TCSEC ( Trusted Computer
System Evaluation Criteria ), tambien conocido como el "Libro
Naranja", y el equivalente Europeo es ITSEC
( Information Technology Security Evaluation Criteria ).
El Libro Naranja se divide en 7 partes reunidos en 4 grupos ( A, B, C,
D ).
NIVEL D. SEGURIDAD INEXISTENTE O PROTECCION MINIMA.
Este nivel indica ausencia de medias de seguridad, como por ejemplo el
DOS.
NIVEL C1. SEGURIDAD DISCRECIONAL.
Los usarios deben ser identificados y validados. Cada usuario tiene
control sobre los objetos y puede limitar
el acceso a estos por parte de otros usuarios. Tambien debe permitirse
el acceso a los recursos por grupos
de usuarios.
NIVEL C2. ACCESO CONTROLADO.
En estos sistemas debe haber una clara distincion entre el sistema de
seguridad y los ficheros. Debe existir
un control de accesos a recursos como ficheros y directorios mediante
herramientas de auditoria. Tambien es
obligado eliminar todos los restos de cada proceso, ya sea en memoria
o en registros temporales en disco.
Ejemplos de sistemas operativos que cumplen estos requerimientos son
Windows NT, Netware 4.0 y VMS
4.0 UNIX System V version 4 ( SVR4 ) tambien cumple tales
requirimientos.
NIVEL B1. SEGURIDAD ETIQUETADA.
Los recursos controlados deben etiquetarse con un nivel de seguridad.
Las etiquetas marcan niveles de
seguridad jerarquicos atentiendo al grado de confidencialidad de
recurso: desclasificado, confidencial,
secreto y alto secreto. Ni siquiera el dueño de un objeto puede
cambiar sus permisos y todas las conexiones
al sistema deben ser controladas. UNIX SVR4 MLS ( Multi Level Security
) cumple las exigencias de este
nivel.
NIVEL B2. PROTECCION ETIQUETADA.
Debe existir un modelo de seguridad formal y debe comprobarse que el
sistema se adapta al modelo. Los
canales de transmision de datos deben estar restringidos. Debe existir
una persona encargada de la
seguridad, que se encuentre por encima incluso del Administrador del
sistema, cuyas funciones, por tanto,
quedaran limitadas. Unix SVR4 ES ( Enhanced Security ) esta en proceso
de certificacion en este nivel.
NIVEL B3. DOMINIOS DE SEGURIDAD.
Debe ser posible especificar proteccion de acceso para cada sujeto y
objeto del sistema, individualmente.
Tambien debe existir un procedimiento para recoger peticiones de
acceso a usuarios, y las aceptan o no en
base a una politica de control de acceso y es necesario un sistema de
auditoria que detecte posibles caminos
para una violacion de la seguridad.
NIVEL A. DISEÑO VERIFICADO.
Es igual que el nivel B3 pero requiere que el modelo sea verificado
formalmente como seguro. Ello supone
una serie de demostraciones matematicas que confirman que el diseño se
ajusta al modelo ideado.
--------------------------------------------------------------------
LOS LIBROS DE COLORES
--------------------------------------------------------------------
Los famosos "Libros de Colores", conocidos por ese nombre debido a el
color de su portada, revelan todo
lo necesario sobre la seguridad informatica. De obligada lectura para
los profesionales, administradores o
interesados.
DoD 5200.28-STD. Department of Defense Trusted Computer System
Evaluation Criteria. ( Orange Book
)
CSC-STD-002-85. Department of Defense Password Management Guideline.
( Green Book )
CSC-STD-003-85. Computer Security Requirements -- Guidance for
Applying the Department of Defense
Trusted Computer System Evaluation Criteria in Specific Environments.
( Yellow Book )
CSC-STD-004-85. Technical Rationale Behind CSC-STD-003-85: Computer
Security Requirements.
Guidance for Applying the Department of Defense Trusted Computer
System Evaluation Criteria in Specific
Environments. ( Yellow Book )
NCSC-TG-001. A Guide to Understanding Audit in Trusted Systems. (
Tan Book )
NCSC-TG-002. Trusted Product Evaluation - A Guide for Vendors. (
Bright Blue Book )
NCSC-TG-003. A Guide to Understanding Discretionary Access Control
in Trusted Systems. ( Neon
Orange Book )
NCSC-TG-004. Glossary of Computer Security Terms. ( Teal Green Book
)
NCSC-TG-005. Trusted Network Interpretation of the Trusted Computer
System Evaluation Criteria. (
Red Book )
NCSC-TG-006. A Guide to Understanding Configuration Management in
Trusted Systems. ( Orange Book
)
NCSC-TG-007. A Guide to Understanding Design Documentation in
Trusted Systems. ( Burgundy Book )
NCSC-TG-008. A Guide to Understanding Trusted Distribution in
Trusted Systems. ( Dark Lavender Book
)
NCSC-TG-009. Computer Security Subsystem Interpretation of the
Trusted Computer System Evaluation
Criteria. ( Venice Blue Book )
NCSC-TG-010. Department of Defense Trusted Computer System
Evaluation Criteria A Guide to
Understanding Security Modeling in Trusted Systems. ( Aqua Book )
NCSC-TG-011. Department of Defense Trusted Computer System
Evaluation Criteria Trusted Network
Interpretation Environments Guideline -- Guidance for Applying the
Trusted Network Interpretation. ( Dark
Red Book )
NCSC-TG-013. Department of Defense Trusted Computer System
Evaluation Criteria Rating Maintenance
Phase -- Program Document. ( Pink Book )
NCSC-TG-014. Department of Defense Trusted Computer System
Evaluation Criteria Guidelines for
Formal Verification Systems. ( Purple Book )
NCSC-TG-015. Department of Defense Trusted Computer System
Evaluation Criteria A Guide to
Understanding Trusted Facility Management. ( Brown Book )
NCSC-TG-016. Department of Defense Trusted Computer System
Evaluation Criteria Guidelines for
Writing Trusted Facility Manuals. ( Yellow-Green Book )
NCSC-TG-017. Department of Defense Trusted Computer System
Evaluation Criteria A Guide to
Understanding Identification and Authentication in Trusted Systems. (
Light Blue )
NCSC-TG-018. Department of Defense Trusted Computer System
Evaluation Criteria A Guide to
Understanding Object Reuse in Trusted Systems. ( Light Blue Book )
NCSC-TG-019. Department of Defense Trusted Computer System
Evaluation Criteria Trusted Product
Evaluation Questionnaire. ( Blue Book )
NCSC-TG-020A. Department of Defense Trusted Computer System
Evaluation Criteria Trusted Unix
Working Group (TRUSIX) Rationale for Selecting Access Control List
Features for the Unix System. ( Gray
Book )
NCSC-TG-021. Department of Defense Trusted Computer System
Evaluation Criteria Trusted Data Base
Management System Interpretation of the Trusted Computer System
Evaluation Criteria. ( Lavender Book )
NCSC-TG-022. Department of Defense Trusted Computer System
Evaluation Criteria A Guide to
Understanding Trusted Recovery in Trusted Systems. ( Yellow Book )
NCSC-TG-023. Department of Defense Trusted Computer System
Evaluation Criteria A Guide to
Understandng Security Testing and Test Documentation in Trusted
Systems. ( Bright Orange Book )
NCSC-TG-024 (Volume 1/4). Department of Defense Trusted Computer
System Evaluation Criteria A
Guide to Procurement of Trusted Systems: An Introduction to
Procurement Initiators on Computer Security
Requirements. ( Purple Book )
NCSC-TG-024 (Volume 2/4). Department of Defense Trusted Computer
System Evaluation Criteria A
Guide to Procurement of Trusted Systems: Language for RFP
Specifications and Statements of Work - An
Aid to Procurement Initiators. ( Purple Book )
NCSC-TG-024 (Volume 3/4). Department of Defense Trusted Computer
System Evaluation Criteria A
Guide to Procurement of Trusted Systems: Computer Security Contract
Data Requirements List and Data
Item Description Tutorial. ( Purple Book )
NCSC-TG-024 (Volume 4/4). Department of Defense Trusted Computer
System Evaluation Criteria A
Guide to Procurement of Trusted Systems: How to Evaluate a Bidder's
Proposal Document - An Aid to
Procurement Initiators and Contractors. ( Purple Book )
NCSC-TG-025. Department of Defense Trusted Computer System
Evaluation Criteria A Guide to
Understanding Data Remanence in Automated Information Systems. ( Green
Book )
NCSC-TG-026. Department of Defense Trusted Computer System
Evaluation Criteria A Guide to Writing
the Security Features User's Guide for Trusted Systems. ( Hot Peach
Book )
NCSC-TG-027. Department of Defense Trusted Computer System
Evaluation Criteria A Guide to
Understanding Information System Security Officer Responsibilities for
Automated Information Systems. (
Turquiose Book )
NCSC-TG-028. Department of Defense Trusted Computer System
Evaluation Criteria Assessing
Controlled Access Protection. ( Violet Book )
NCSC-TG-029. Department of Defense Trusted Computer System
Evaluation Criteria Introduction to
Certification and Accreditation. ( Blue Book )
NCSC-TG-030. Department of Defense Trusted Computer System
Evaluation Criteria A Guide to
Understanding Covert Channel Analysis of Trusted Systems. ( Light Pink
Book )
Department of Defense Trusted Computer System Evaluation Criteria
Computer Viruses: Prevention,
Detection, and Treatment. ( C1 Technical Report-001 )
Department of Defense Trusted Computer System Evaluation Criteria
Integrity in Automated Information
Systems. ( C Technical Report 79-91 )
Department of Defense Trusted Computer System Evaluation Criteria
The Design and Evaluation of
INFOSEC systems: The Computer Security Contributions to the
Composition Discussion. ( C Technical
Report 39-92 )
NCSC-TG-010. Department of Defense Trusted Computer System
Evaluation Criteria Advisory
Memorandum on Office Automation Security Guideline. ( NTISSAM
COMPUSEC/1-87 )