Neil Jones <castellan2004-email@yahoo.com> writes:
> I am looking at a Linux server which has been accredited as a EAL4
> system by IBM. During the assessment, I was looking for standard Linux
> protections like iptables, ssh etc. On this server, there is no iptables.
>
> Regardless, I would like to know how to evaluate a EAL 4 system. What
> do you need to look for in the EAL 4 system in production that could
> become vulnerable?
orange book like stuff ... sort of assumed that everything was a
general purpose computer and had to have provisions to handle
everything that a general purpose computer might encountered
(including various kinds of multi-user sharing). there was somewhat
generalized criteria that things were evaluated against.
i've somewhat characterized the change over to common criteria ... as
recognizing that not everything is a general purpuse computer
(including multi-user sharing) ... and so there are all sorts of
provisions in common criteria for specifying the "protection profile"
against which something will be evaluated.
there are some general stuff about what kinds of things that need to
be in a "protection profile" for different evaluation levels ... but
without the specific protection profile ... you have no real idea what
specific evaluation has been performed.
it is possible that there couled be security things that you might be
interested in doing ... that just weren't considered or included in
the protection profile used for the evaluation.
obstensibly one of the purposes of evaluation was so you could compare
the evaluation levels of two similar products and use the evaluation
to help in the choice ... under the assumption that using the same
protection profile would result in comparable evaluations. However, a
couple years ago, there was a statement that of the 64 some
evaluations that had been performed at that time, something like sixty
of the evaluations had non-public deviations from published protection
profile (making it difficult to use evaluations as part of comparing
similar products)
National Information Assurance Partnership (NIAP) home page
http://www.nsa.gov/ia/industry/niap.cfm
The Common Criteria Evaluation and Validation Scheme
http://niap.bahialab.com/cc-scheme/
Common Criteria Portal
http://www.commoncriteriaportal.org/
List of Protection Profiles (against which evaluation are performed)
http://www.commoncriteriaportal.org/...dex.php?menu=5
under operating systems in the above ... there is
"Multi-level Operating Systems in Medium Robustness Environments PP" protection
profile (at EAL4+)
http://www.commoncriteriaportal.org/...P-MR_V1.22.pdf
"Multi-level Operating Systems in Medium Robustness Environments" certification
report (at EAL4+)
http://www.commoncriteriaportal.org/..._VID204-VR.pdf
then there is
"Single-level Operating Systems in Medium Robustness PP" protection profile
(at EAL4+)
http://www.commoncriteriaportal.org/...P-MR_V1.22.pdf
"Single-level Operating Systems in Medium Robustness PP" certification report
(at EAL4+)
http://www.commoncriteriaportal.org/...s/PP_VID203-VR
whole lot of past posts mentioning risk, fraud, exploits, and vulnerabilities
http://www.garlic.com/~lynn/subintegrity.html#fraud
and some number of past posts mentioning assurance
http://www.garlic.com/~lynn/subintegrity.html#assurance