|
Penetration Testing
mailing list archives
Re: Vulnerability Assessment of a EAL 4 system
From: "Robert E. Lee" <robert () outpost24 com>
Date: Thu, 2 Nov 2006 12:04:37 +0100
On Wed, 1 Nov 2006 02:11:38 -0800 (PST)
<castellan2004-fd () yahoo com> wrote:
I am looking at a Linux server which has been
accredited as a EAL4 system by IBM. During the
assessment, I was looking for standard Linux
protections like iptables, ssh etc. On this server,
there is no iptables.
Ask them for a copy of the Certification Report, and the Security Target. In these, you will read clearly what they
were attempting to accomplish. You will also see which Protection Profiles were selected. Reading the Protection
Profile documents will also help you understand what they intended.
For example, if you were evaluating Red Hat Enterprise Linux AS, Version 3 Update 2, you would want to read
http://www.commoncriteriaportal.org/public/files/epfiles/0257a.pdf,
http://www.commoncriteriaportal.org/public/files/epfiles/0257b.pdf, and
http://www.commoncriteriaportal.org/public/files/ppfiles/capp.pdf
Although, I am guessing based on your questions that you may want to have a followup conversation with your customer to
make sure you are in agreement on the scope of the audit. Formally auditing a CAPP/EAL4 system can be extremely time
consuming.
--
Robert E. Lee
Chief Security Officer
http://www.outpost24.com
phone: +46-(70)847-4320
fax : +46-(0)455-13960
email: robert () outpost24 com
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
|
Intro
