Wednesday, April 27, 2011

Help with VxWorks


I'm in the middle of a testing engagement where I have run across VxWorks.  I am totally unfamiliar with auditing VxWorks and need some help with the finer points.  What I have come up against are medical devices that have multiple VxWorks modules attached to them.  The controllers are not a problem, they are either unix/linux or a variant of Windows.  However, the medical devices only show the VxWorks module to the network.  So far, I have run an NMAP scan, a Retina scan, and a Nessus scan.  I do not see a guidance, a checklist, or a STIG on DISA's site, nor do I see anything listed in the benchmarks put out by the Center for Internet Security.

So, for those of you that have had to audit a VxWorks system, what else did you do?  What other guidance did you use?  And, what did you use to tie back vulnerabilities (as I know that there are are some IAVMs that are VxWorks-related.)

1 comment:

  1. Use the Unix General STIGs, see section 1.4.1 of the following doc: