Penetration Testing mailing list archives
Re: Vulnerability Assessment of a EAL 4 system
From: "Robert E. Lee" <robert () outpost24 com>
Date: Thu, 2 Nov 2006 12:04:37 +0100
On Wed, 1 Nov 2006 02:11:38 -0800 (PST) <castellan2004-fd () yahoo com> wrote:
I am looking at a Linux server which has been accredited as a EAL4 system by IBM. During the assessment, I was looking for standard Linux protections like iptables, ssh etc. On this server, there is no iptables.
Ask them for a copy of the Certification Report, and the Security Target. In these, you will read clearly what they were attempting to accomplish. You will also see which Protection Profiles were selected. Reading the Protection Profile documents will also help you understand what they intended. For example, if you were evaluating Red Hat Enterprise Linux AS, Version 3 Update 2, you would want to read http://www.commoncriteriaportal.org/public/files/epfiles/0257a.pdf, http://www.commoncriteriaportal.org/public/files/epfiles/0257b.pdf, and http://www.commoncriteriaportal.org/public/files/ppfiles/capp.pdf Although, I am guessing based on your questions that you may want to have a followup conversation with your customer to make sure you are in agreement on the scope of the audit. Formally auditing a CAPP/EAL4 system can be extremely time consuming. -- Robert E. Lee Chief Security Officer http://www.outpost24.com phone: +46-(70)847-4320 fax : +46-(0)455-13960 email: robert () outpost24 com ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Vulnerability Assessment of a EAL 4 system castellan2004-fd (Nov 01)
- RE: Vulnerability Assessment of a EAL 4 system Marc Doudiet (Nov 01)
- Re: Vulnerability Assessment of a EAL 4 system Robert E. Lee (Nov 02)
- <Possible follow-ups>
- RE: Vulnerability Assessment of a EAL 4 system Hardwick, Stephen (Nov 02)
- RE: Vulnerability Assessment of a EAL 4 system Steve Armstrong (Nov 05)
- RE: Vulnerability Assessment of a EAL 4 system Hardwick, Stephen (Nov 06)