From: Robert E. Lee (robert@outpost24.com)
Date: Thu Nov 02 2006 - 06:04:37 EST
On Wed, 1 Nov 2006 02:11:38 -0800 (PST)
<castellan2004-fd@yahoo.com> wrote:
> I am looking at a Linux server which has been
> accredited as a EAL4 system by IBM. During the
> assessment, I was looking for standard Linux
> protections like iptables, ssh etc. On this server,
> there is no iptables.
Ask them for a copy of the Certification Report, and the Security Target. In these, you will read clearly what they were attempting to accomplish. You will also see which Protection Profiles were selected. Reading the Protection Profile documents will also help you understand what they intended.
For example, if you were evaluating Red Hat Enterprise Linux AS, Version 3 Update 2, you would want to read http://www.commoncriteriaportal.org/public/files/epfiles/0257a.pdf, http://www.commoncriteriaportal.org/public/files/epfiles/0257b.pdf, and http://www.commoncriteriaportal.org/public/files/ppfiles/capp.pdf
Although, I am guessing based on your questions that you may want to have a followup conversation with your customer to make sure you are in agreement on the scope of the audit. Formally auditing a CAPP/EAL4 system can be extremely time consuming.
-- Robert E. Lee Chief Security Officer http://www.outpost24.com phone: +46-(70)847-4320 fax : +46-(0)455-13960 email: robert@outpost24.com ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:16 EDT