Introduction This directory contains the packages and the documentation required to install and configure Red Hat Enterprise Linux 5 (RHEL5) on a specific set of HP platforms to an evaluated level. This level meets the Common Criteria Controlled Access Protection Profile (CAPP), Labeled Security Protection Profile (LSPP), and Role-Based Access Control Protection Profile (RBACPP) at Assurance Level 4+ (EAL4+). This evaluation was conducted by an independent evaluator, atsec Information Security (http://www.atsec.com/), using the Common Criteria methodology (http://www.commoncriteriaportal.org/) and validated by the Common Criteria Evaluation and Validation Scheme (CCEVS) Validation Body of the U.S. Government (http://niap.nist.gov/cc-scheme). For more information regarding the Common Criteria Evaluation process and Protection Profiles, Web URLs are provided at the end of this file. Purpose The purpose of this README is to guide the reader on how to obtain the Evaluation Configuration Guide (ECG) in order to use its instructions. The ECG lists the requirements and describes how to install and configure a RHEL5 system to be compliant with the Controlled Access Protection profile (CAPP), Labeled Security Protection Profile (LSPP), and Role-Based Access Control Protection Profile (RBACPP). The ECG file RHEL5-CC-EAL4-HP-Configuration-Guide is included in the capp-lspp-eal4-config-hp RPM. There are two versions of this RPM. The version that was included in the evaluation is: ftp://ftp.redhat.com/pub/redhat/linux/eal/EAL4_RHEL5/HP/RPMS/capp-lspp-eal4-config-hp-0.65-1.el5.noarch.rpm An updated RPM is available at: ftp://ftp.redhat.com/pub/redhat/linux/eal/EAL4_RHEL5/HP/RPMS/capp-lspp-eal4-config-hp-0.65-2.el5.noarch.rpm The updated (version 0.65-2) RPM corrects an error in the configuration script that was discovered after the evaluation. Refer to the following Red Hat Security Advisory for additional information. https://rhn.redhat.com/errata/RHSA-2008-0193.html HP recommends using the version 0.65-2 RPM so that is the RPM version that is used in the instructions below. If using the original version 0.65-1 rpm or if you have systems that have been previously installed with that RPM, see the additional information in the Notes section of this README. To get the ECG do the following: 1- From an existing Internet-connected system equipped with the rpm or rpm2cpio package management tools, download capp-lspp-eal4-config-hp-0.65-2.el5.noarch.rpm from the above ftp directory: wget ftp://ftp.redhat... (use one of the FTP URLs above) 2- Download the Red Hat package signing key to verify the integrity of the capp-lspp-eal4-config-hp rpm. The Red Hat package signing key can be found at the following location: https://www.redhat.com/security/37017186.txt More information can be found at: https://www.redhat.com/security/team/key/ 3- Run the following commands to verify the package integrity: rpm --import 37017186.txt rpm --checksig capp-lspp-eal4-config-hp-*.rpm 4- Run as root at a command line: rpm -i capp-lspp-eal4-config-hp-0.65-2.el5.noarch.rpm This will only install the ECG and a set of kickstart files. Alternatively, run: rpm2cpio capp-lspp-eal4-config-hp-0.65-2.el5.noarch.rpm | cpio -id to unpack the archive contents in the current directory without installing them. This does not require administrator rights. 5- The ECG file RHEL5-CC-EAL4-HP-Configuration-Guide is included in multiple formats: as man page, pdf, pod and txt. You can find the various formats in directory /usr/share/doc/capp-lspp-eal4-config-hp-*. 6- Read the ECG and follow the instructions carefully. The ECG describes how to obtain the required software packages and describes various installation methods. Notes If using the version 0.65-1 RPM, please run the following command as root on all systems installed using that RPM: $(chmod 644 /etc/pam.d/system-auth) Refer to advisory CVE-2008-0884 or the following Red Hat Security Advisory for additional information. https://rhn.redhat.com/errata/RHSA-2008-0193.html Related Links http://www.atsec.com/ http://www.hp.com/ http://www.redhat.com/ http://commoncriteriaportal.org/ http://www.niap-ccevs.org/cc-scheme http://www.niap-ccevs.org/cc-scheme/pp/PP_OS_CA_V1.d.cfm http://www.niap-ccevs.org/cc-scheme/pp/PP_OS_LS_V1.b.cfm http://cve.mitre.org/cve/cve.html