Vulnerability Assessment of a EAL 4 system

Discussion:

c***@yahoo.com

2006-11-01 10:12:25 UTC

I am looking at a Linux server which has been
accredited as a EAL4 system by IBM. During the
assessment, I was looking for standard Linux
protections like iptables, ssh etc. On this server,
there is no iptables.

Regardless, I would like to know how to evaluate a EAL
4 system. What do you need to look for in the EAL 4
system in production that could become vulnerable?

Thank you in advance for any help.

Stong, Ian

2006-11-01 17:34:40 UTC

Permalink

You should get a copy of the security target and protection profiles
used for the EAL4 accreditation. This will give you insight into what
they evaluated against. I would then suggest performing standard Linux
checks on the system (sounds like you already did some of that). Any
standard security protections missing need to be weighed against what
the vendor has done to provide similar protections.

Thanks,

Ian Stong

-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com]
On Behalf Of castellan2004-***@yahoo.com
Sent: Wednesday, November 01, 2006 5:12 AM
To: focus-***@securityfocus.com
Subject: Vulnerability Assessment of a EAL 4 system

I am looking at a Linux server which has been accredited as a EAL4
system by IBM. During the assessment, I was looking for standard Linux
protections like iptables, ssh etc. On this server, there is no
iptables.

Regardless, I would like to know how to evaluate a EAL
4 system. What do you need to look for in the EAL 4 system in
production that could become vulnerable?

Thank you in advance for any help.

Takayama Kawika (DTI)

2006-11-02 15:43:40 UTC

Permalink

This is one of the only Linux Distro's in production certified for
EAL4...

"Following in the wake of its previous certifications, Novell's SUSE
Linux Enterprise Server 9 has achieved EAL4 certification on 'an IBM
eServer.' This puts SLES9 in the same league as Windows 2000 for sales
in the government sector and is the first Linux distro to achieve an
EAL4 certification."

Here is more support....
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level

If you have a current EAL level 4 certified system and it is in
production, it means nothing to the extent other than you have a very
expensive piece of hardware. Can you secure it? If you are looking for
this answer then my suggestion is to run a series of PenTests against it
and see. Rapid7 or CoreImpact or Metasploit or any number of system
Vulnerability scanners. If something pops as a finding then address it
and move on. But the certification for eal4 doesn't mean anything
unless you know how to secure the device... That's the bottom line.

Kawika

"Regret for the things we did can be tempered by time; it is regret for
the things we did not do that is inconsolable." -Sydney J. Harris

-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com]
On Behalf Of castellan2004-***@yahoo.com
Sent: Wednesday, November 01, 2006 5:12 AM
To: focus-***@securityfocus.com
Subject: Vulnerability Assessment of a EAL 4 system

I am looking at a Linux server which has been accredited as a EAL4
system by IBM. During the assessment, I was looking for standard Linux
protections like iptables, ssh etc. On this server, there is no
iptables.

Regardless, I would like to know how to evaluate a EAL
4 system. What do you need to look for in the EAL 4 system in
production that could become vulnerable?

Thank you in advance for any help.
-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com]
On Behalf Of castellan2004-***@yahoo.com
Sent: Wednesday, November 01, 2006 5:12 AM
To: focus-***@securityfocus.com
Subject: Vulnerability Assessment of a EAL 4 system

I am looking at a Linux server which has been accredited as a EAL4
system by IBM. During the assessment, I was looking for standard Linux
protections like iptables, ssh etc. On this server, there is no
iptables.

Regardless, I would like to know how to evaluate a EAL
4 system. What do you need to look for in the EAL 4 system in
production that could become vulnerable?

Thank you in advance for any help.

terry white

2006-11-01 21:32:36 UTC

Permalink

... ciao:

: on "11-1-2006" "castellan2004-***@yahoo.com" writ:
: accredited as a EAL4 system by IBM

a google search of:

"EAL4"+IBM

might be a good start ...

--
... i'm a man, but i can change,
if i have to , i guess ...

shashi

2006-11-02 16:00:01 UTC

Permalink

Answer to all of your questions is , evaluate the Linux system according the documentation developed
by Klaus Weidner <***@atsec.com>.

http://www-128.ibm.com/developerworks/linux/library/os-ltc-security/

Thanks & Regards,
Shashi Kanth

Post by c***@yahoo.com
I am looking at a Linux server which has been
accredited as a EAL4 system by IBM. During the
assessment, I was looking for standard Linux
protections like iptables, ssh etc. On this server,
there is no iptables.
Regardless, I would like to know how to evaluate a EAL
4 system. What do you need to look for in the EAL 4
system in production that could become vulnerable?
Thank you in advance for any help.

Richard Worwood

2006-11-06 22:31:51 UTC

Permalink

I guess what everyone is trying to says is that just because a device /
OS combination has been tested to EAL4 doesn't mean your version is
configured as such.

-----Original Message-----
From: Takayama Kawika (DTI) [mailto:***@state.de.us]
Sent: 02 November 2006 09:44
To: focus-***@securityfocus.com
Subject: RE: Vulnerability Assessment of a EAL 4 system

This is one of the only Linux Distro's in production certified for
EAL4...

"Following in the wake of its previous certifications, Novell's SUSE
Linux Enterprise Server 9 has achieved EAL4 certification on 'an IBM
eServer.' This puts SLES9 in the same league as Windows 2000 for sales
in the government sector and is the first Linux distro to achieve an
EAL4 certification."

Here is more support....
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level

If you have a current EAL level 4 certified system and it is in
production, it means nothing to the extent other than you have a very
expensive piece of hardware. Can you secure it? If you are looking for
this answer then my suggestion is to run a series of PenTests against it
and see. Rapid7 or CoreImpact or Metasploit or any number of system
Vulnerability scanners. If something pops as a finding then address it
and move on. But the certification for eal4 doesn't mean anything
unless you know how to secure the device... That's the bottom line.

Kawika

"Regret for the things we did can be tempered by time; it is regret for
the things we did not do that is inconsolable." -Sydney J. Harris

-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com]
On Behalf Of castellan2004-***@yahoo.com
Sent: Wednesday, November 01, 2006 5:12 AM
To: focus-***@securityfocus.com
Subject: Vulnerability Assessment of a EAL 4 system

I am looking at a Linux server which has been accredited as a EAL4
system by IBM. During the assessment, I was looking for standard Linux
protections like iptables, ssh etc. On this server, there is no
iptables.

Regardless, I would like to know how to evaluate a EAL
4 system. What do you need to look for in the EAL 4 system in
production that could become vulnerable?

Thank you in advance for any help.
-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com]
On Behalf Of castellan2004-***@yahoo.com
Sent: Wednesday, November 01, 2006 5:12 AM
To: focus-***@securityfocus.com
Subject: Vulnerability Assessment of a EAL 4 system

I am looking at a Linux server which has been accredited as a EAL4
system by IBM. During the assessment, I was looking for standard Linux
protections like iptables, ssh etc. On this server, there is no
iptables.

Regardless, I would like to know how to evaluate a EAL
4 system. What do you need to look for in the EAL 4 system in
production that could become vulnerable?

Thank you in advance for any help.