Hi Roman I don't think I can use the specific hardware specified unless one of them is a relatively standard PC, which according to the documentation invalidates the certification. But the OS aspect seems to provide a set-up that is robust with all appropriate security features such as logging, audit, enhanced password protection etc. What is the normal mechanism of using the script etc. I'd have to sign up for SLES9 which one assumes can still be bought from SUSE. Then to use the EAL4 configuration, can I acquire a right to use through SUSE or ATSEC? Mark Roman Drahtmueller wrote:
Hey Mark,
I recently discovered that there are security hardened version of SUSE that are certified/accredited to EAL 3 and even EAL 4.
Does anyone have any experienced feedback on how restrictive these setups are?
We are looking to implement a data retreival system that access disks over NFS and tape drives over SCSI, but does little else. Would like to know if I could still do these simple things.
Regards,
Mark Armstrong
I'm not sure if one can call the evaluated configuration a "hardened" system. There are some configuration files for pam and account management and some predefined config files for some packages, resulting in stricter file modes (using permissions.eal4) and some unnecessary stuff turned off.
There is a package called certification-sles-eal4 that is available in the SLES9 update trees. It contains
* the so-called security guide, a step-by-step documentation to deliver the fresh install to the evaluated configuration, * a script that does the same semi- or fully automatically, * a set of config files that are being overwritten by the script, and * a list of packages that are required or tolerated in the installation.
Have a look at http://ftp.suse.com/pub/people/draht/misc/eal4/ . I have put the contents of that package in there for you to have a look at it.
Be aware that the "Common Criteria EAL4+ Evaluated Configuration Guide for SUSE LINUX Enterprise Server on IBM Hardware" is copyrighted by atsec GmbH, Klaus Weidner. The script has been written by me and Klaus.
Thanks, Roman.
-- _______________________________________________________________________ Mark Armstrong Email: msa@kaon.co.uk Chief Engineer Web: www.kaon.co.uk Office: +44 (0) 1483 885302 Fax: +44 (0) 1483 885301 Mobile: +44 (0) 7771 967588 Kaon Limited, 5 Wey Court, Mary Road, Guildford, Surrey, GU1 4QU, UK Disclaimer This communication is intended for the addressee(s) only, and is private and confidential. If you are not the intended recipient, any disclosure, copying, distribution or any other unauthorised dissemination is prohibited and unlawful. Please inform the sender immediately if you are not the intended addressee. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org