Introduction This directory contains the packages and the documentation required to install and configure Red Hat Enterprise Linux 5 (RHEL5) on a specific set of IBM platforms to an evaluated level. This level meets the Common Criteria Labeled Security Protection Profile (LSPP), Role-Based Access Control Protection Profile (RBACPP), and Controlled Access Protection Profile (CAPP) at Assurance Level 4+ (EAL4+). This evaluation was conducted by an independent evaluator, atsec Information Security (http://www.atsec.com/), using the Common Criteria methodology (http://www.commoncriteriaportal.org/) and validated by the Common Criteria Evaluation and Validation Scheme (CCEVS) Validation Body of the U.S. Government (http://www.niap-ccevs.org/cc-scheme/). For more information regarding the Common Criteria Evaluation process and Protection Profiles, Web URLs are provided at the end of this file. Purpose The purpose of this README is to guide the reader on how to obtain the Evaluation Configuration Guide (ECG) in order to use its instructions. The (ECG) is contained in the lspp-eal4-config-ibm-0.65-1.el5.noarch.rpm RPM package and lists the requirements and describes how to install and configure a RHEL5 system to be compliant with the Labeled Security Protection Profile (LSPP) and Role-Based Access Control Protection Profile (RBACPP), or the Controlled Access Protection Profile (CAPP). The ECG file RHEL-LSPP-EAL4-IBM-Configuration-Guide is included in the following rpm: ftp://ftp.redhat.com/pub/redhat/linux/eal/EAL4_RHEL5/IBM/RPMS/lspp-eal4-config-ibm-0.65-1.el5.noarch.rpm To get the ECG do the following (See Note1): 1- From a separate Internet-connected computer download the lspp-eal4-config-ibm-0.65-1.el5.noarch.rpm from the above ftp directory: wget ftp://ftp.redhat... (use FTP URL above). 2- Download the Red Hat package signing key to verify the integrity of lspp-eal4-config-ibm-0.65-1.el5.noarch.rpm from the following location: https://www.redhat.com/security/37017186.txt 3- On the download system, run the following commands to verify the package integrity: rpm --import 37017186.txt rpm --checksig lspp-eal4-config-ibm-*.rpm 4- Run as root at a command line: rpm -i lspp-eal4-config-ibm-0.65-1.el5.noarch.rpm 5- The ECG file RHEL-LSPP-EAL4-IBM-Configuration-Guide is included in multiple formats: as html, pdf, pod and txt. You can find the various formats in directory /usr/share/doc/lspp-eal4-config-ibm-0.65. 6- Read the ECG and follow the instructions carefully. Note1: Alternatively, you can use the following extraction command on any system containing the RPM packaging tools without installing the package or requiring root rights: rpm2cpio lspp-eal4-config-ibm-0.65-1.el5.noarch.rpm | cpio -id This will extract the content into the current working directory, with the documentation in the usr/share/doc/capp-eal4-config-ibm-0.65/ subdirectory. Related Links http://www.atsec.com/ http://www.ibm.com/ http://www.redhat.com/ http://www.commoncriteriaportal.org/ http://www.commoncriteriaportal.org/public/files/ppfiles/capp.pdf http://www.commoncriteriaportal.org/public/files/ppfiles/lspp.pdf http://www.commoncriteriaportal.org/public/files/ppfiles/RBAC_987.pdf http://www.niap-ccevs.org/cc-scheme/ Note2: SECURITY ADVISORY CVE-2008-0884 A security defect was discovered in the lspp-eal4-config-ibm-0.65-1.el5.noarch.rpm certification package that causes the /etc/pam.d/system-auth PAM configuration file be writable by anyone on the system. Please see https://rhn.redhat.com/errata/RHSA-2008-0193.html for additional information. To correct the issue, perform the following command after setting up the evaluated configuration and before placing the system into production: chmod 644 /etc/pam.d/system-auth An updated package is available for your convenience at on the Red Hat FTP site at ftp://ftp.redhat.com/pub/redhat/linux/eal/EAL4_RHEL5/IBM/RPMS/lspp-eal4-config-ibm-0.65-2.el5.noarch.rpm. However, note that use of the updated package invalidates the evaluated configuration in the strict sense. Note3: CD-Only Install Following are instructions to assist users whose entire installation is from CD. Before re-installing the machine, determine the device for the CDROM drive. This will be dependent on the architecture. For example, on a model 3455, x86_64 machine, the CDROM device is /dev/hda. Try looking at /var/log/dmesg and search for the CDROM drive info to find the device. This information will be required for the post-install configuration when you use the CDROM drive to load the necessary CAPP/RBACPP/LSPP/EAL4+ (hereafter referred to as simply "LSPP") update RPMs. 1. Follow all steps in Section 2.2.2 of the ECG, Preparing for Installation. You are now ready to "Burn a CD-R containing the kickstart files from ./usr/share/capp-lspp/ kickstart/ and the downloaded RPM packages, with all files at the top directory level (no subdirectories)." Place the kickstart file that your system architecture requires in a newly created directory along with the LSPP update RPMs in RHEL5-Server-LSPP-20070614.0-x86_64-disc1-ftp.iso. For example, for x86_64: mkdir /tmp/eal4 cp ./usr/share/capp-lspp/kickstart/ks-x86_64.cfg /tmp/eal4 mount -o loop RHEL5-Server-LSPP-20070614.0-x86_64-disc1-ftp.iso /mnt/eal4 cp /mnt/eal4/LSPP/*.rpm /tmp/eal4 umount /mnt/eal4 Make an ISO image: mkisofs -o my_eal4.iso -v iso-level 4 /tmp/eal4/ Burn the new ISO to a CD. cdrecord my_eal4.iso 2. Start the installation on the machine by booting RHEL 5 CD#1. At the installation menu's boot prompt, enter: linux ks=cdrom:/ks-x86_64.cfg method=cdrom: Installation will proceed as normal. At some point it will complain about not finding the kickstart script on CD#1. For example: Error: Could not find kickstart on CDROM Remove CD#1 from CDROM drive and insert the CD containing my_eal4.iso. Select "OK" on installer menu. This may bring you to another error display, such as, Error downloading kickstart file Unable to download the kickstart file. Please modify the kickstart parameter below or press Cancel to proceed as an interactive installation. cdrom:/ks-x86_64.cfg Select "OK" on the installation menu so that installer will try to look again on the CDROM for the kickstart file. This time it will find it on the my_eal4.iso CD. You will then be prompted for the information in Section 2.2.5, Pre-install configuration. Proceed as documented in this section. After kickstart information has been entered, the installation will proceed and then complain about not finding install images that are normally on CD#1. You might see a screen such as, CD Not Found The Red Hat Enterprise Linux Server CD was not found in any of your CDROM drives. Please insert the Red Hat Enterprise Linux Server CD and press OK to retry. Remove the CD containing the my_eal4.iso from the CDROM drive and insert RHEL 5 CD#1. Select "OK" on the installation menu so that the installer tries again. It will now find what it needs on CD#1 and installation will proceed as usual. 3. Post Install Assuming that you have successfully reached the post install configuration prompt as indicated in Section 2.2.7, Post-install Configuration, of the ECG, follow the steps that are indicated until you reach the section regarding Location. Because the RPMs are on the my_eal4.iso CD, this part is somewhat different than is documented in the ECG. You will need to enter into the interactive shell, mount the CDROM, and copy the RPMs to a local directory. /dev/hda is used as the example CDROM device. Replace it with the machine's CDROM device as indicated at the beginning of this note. Remove the RHEL 5 CD from the CDROM drive. Insert the CD containing the my_eal4.iso. At the following prompt, enter "!" to enter the shell. Location [ftp://ftp.redhat.com/pub/redhat/linux/eal/EAL4_RHEL5/IBM/] ? ! Starting interactive shell, type 'exit' when done sh-3.1# mkdir /cdrom sh-3.1# mount /dev/hda -t iso9660 -r /cdrom sh-3.1# mkdir /tmp/eal4-rpms sh-3.1# cp /cdrom/*.rpms /tmp/eal4-rpms sh-3.1# ls /tmp/eal4-rpms (make sure they copied over) sh-3.1# umount /cdrom sh-3.1# rmdir /cdrom sh-3.1# exit exit Location [ftp://ftp.redhat.com/pub/redhat/linux/eal/EAL4_RHEL5/IBM/] ? /tmp/eal4-rpms At this point, remove the my_eal4.iso CD from the CDROM drive. The post-install process will begin installing the LSPP update RPMs and configuring the system accordingly for LSPP. You can resume following the post install process as documented in the ECG. Follow a similar procedure for CAPP, except select the CAPP configuration as indicated in the ECG. V1.6, April 03, 2008