Help!
I'm in the middle of a testing engagement where I have run across VxWorks. I am totally unfamiliar with auditing VxWorks and need some help with the finer points. What I have come up against are medical devices that have multiple VxWorks modules attached to them. The controllers are not a problem, they are either unix/linux or a variant of Windows. However, the medical devices only show the VxWorks module to the network. So far, I have run an NMAP scan, a Retina scan, and a Nessus scan. I do not see a guidance, a checklist, or a STIG on DISA's site, nor do I see anything listed in the benchmarks put out by the Center for Internet Security.
So, for those of you that have had to audit a VxWorks system, what else did you do? What other guidance did you use? And, what did you use to tie back vulnerabilities (as I know that there are are some IAVMs that are VxWorks-related.)
Subscribe to:
Post Comments (Atom)
Use the Unix General STIGs, see section 1.4.1 of the following doc:
ReplyDeletehttp://www.disa.mil/ucco/webfiles/apl_process/STIG_Questionnaire.pdf