Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Vulnerability Assessment of a EAL 4 system
From: "Hardwick, Stephen" <shardwick () enpointe com>
Date: Thu, 2 Nov 2006 09:45:07 -0800

Common Criteria provides a method of specifying features and verifying
their operation. The testing that is done to achieve certification is
typically confidential to the testing lab and the product vendor.
However, as part of the testing the product vendor must provide a
"Configuration Guidance" document that describes how the product is
configured to pass the testing. The document is then used to verify that
the product is properly configured. I did find a link for the
configuration guide for the SuSe version of Linux that was evaluated
http://www.uniforum.chi.il.us/slides/HardeningLinux/IBM-SLES-EAL4-Config
uration-Guide.pdf. This gives the various steps needed to configure the
OS to meet the tested configuration. My recommendation would be to make
sure that the systems meet the configuration guide. If you wanted to
perform additional testing, you would need to review the Security
target, which defines the tested functionality.

I hope that this helps.

Steve Hardwick 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of castellan2004-fd () yahoo com
Sent: Wednesday, November 01, 2006 4:12 AM
To: pen-test () securityfocus com
Subject: Vulnerability Assessment of a EAL 4 system


I am looking at a Linux server which has been
accredited as a EAL4 system by IBM.  During the
assessment, I was looking for standard Linux
protections like iptables, ssh etc.  On this server,
there is no iptables.

Regardless, I would like to know how to evaluate a EAL
4 system.  What do you need to look for in the EAL 4
system in production that could become vulnerable?

Thank you in advance for any help.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]