I'm in the middle of a testing engagement where I have run across VxWorks. I am totally unfamiliar with auditing VxWorks and need some help with the finer points. What I have come up against are medical devices that have multiple VxWorks modules attached to them. The controllers are not a problem, they are either unix/linux or a variant of Windows. However, the medical devices only show the VxWorks module to the network. So far, I have run an NMAP scan, a Retina scan, and a Nessus scan. I do not see a guidance, a checklist, or a STIG on DISA's site, nor do I see anything listed in the benchmarks put out by the Center for Internet Security.
So, for those of you that have had to audit a VxWorks system, what else did you do? What other guidance did you use? And, what did you use to tie back vulnerabilities (as I know that there are are some IAVMs that are VxWorks-related.)