Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Vulnerability Assessment of a EAL 4 system
From: "Robert E. Lee" <robert () outpost24 com>
Date: Thu, 2 Nov 2006 12:04:37 +0100

On Wed, 1 Nov 2006 02:11:38 -0800 (PST)
<castellan2004-fd () yahoo com> wrote:

I am looking at a Linux server which has been
accredited as a EAL4 system by IBM.  During the
assessment, I was looking for standard Linux
protections like iptables, ssh etc.  On this server,
there is no iptables.

Ask them for a copy of the Certification Report, and the Security Target.  In these, you will read clearly what they 
were attempting to accomplish.  You will also see which Protection Profiles were selected.  Reading the Protection 
Profile documents will also help you understand what they intended.

For example, if you were evaluating Red Hat Enterprise Linux AS, Version 3 Update 2, you would want to read 
http://www.commoncriteriaportal.org/public/files/epfiles/0257b.pdf, and 

Although, I am guessing based on your questions that you may want to have a followup conversation with your customer to 
make sure you are in agreement on the scope of the audit.  Formally auditing a CAPP/EAL4 system can be extremely time 

Robert E. Lee
Chief Security Officer
phone: +46-(70)847-4320
fax  : +46-(0)455-13960
email: robert () outpost24 com

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]