Re: Vulnerability Assessment of a EAL 4 system

["Robert E. Lee" <robert () outpost24 com>]

On Wed, 1 Nov 2006 02:11:38 -0800 (PST)
<castellan2004-fd () yahoo com> wrote:

> I am looking at a Linux server which has been
> accredited as a EAL4 system by IBM.  During the
> assessment, I was looking for standard Linux
> protections like iptables, ssh etc.  On this server,
> there is no iptables.

Ask them for a copy of the Certification Report, and the Security Target.  In these, you will read clearly what they 
were attempting to accomplish.  You will also see which Protection Profiles were selected.  Reading the Protection 
Profile documents will also help you understand what they intended.

For example, if you were evaluating Red Hat Enterprise Linux AS, Version 3 Update 2, you would want to read 
http://www.commoncriteriaportal.org/public/files/epfiles/0257a.pdf, 
http://www.commoncriteriaportal.org/public/files/epfiles/0257b.pdf, and 
http://www.commoncriteriaportal.org/public/files/ppfiles/capp.pdf

Although, I am guessing based on your questions that you may want to have a followup conversation with your customer to 
make sure you are in agreement on the scope of the audit.  Formally auditing a CAPP/EAL4 system can be extremely time 
consuming.


-- 
Robert E. Lee
Chief Security Officer
http://www.outpost24.com
 
phone: +46-(70)847-4320
fax  : +46-(0)455-13960
email: robert () outpost24 com

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------