The Device Compliance Scanner (DCS) in Client Automation scans target computers for compliance with the FDCC checklist. This chapter describes the implementation of SCAP standards.
The DCS is built around Security Content Automation Protocol (SCAP). SCAP is a suite of selected open standards that enumerate software flaws, security-related configuration issues, and product names. The suite also measures systems to determine the presence of vulnerabilities, and provides mechanisms to rank (score) the results of these measurements to evaluate the impact of the discovered security issues.
Client Automation implements compliance checking of any SCAP 1.1 data stream written in the XML formats leveraged by the SCAP standard: XCCDF, CCE, CVE, CPE, CVSS, and OVAL. DCS is implemented as an asset management inventory module. DCS is distributed to all the agents, which then performs the compliance check at the scheduled time and produces the output files required by the specifications. The DCS scanner uses the XCCDF and OVAL assessment protocols to determine what items to check and how to check them. The scanner also uses the CPE, CCE, CVSS, and CVE reference protocols to verify that all rules are accurately and appropriately reflected in the system. The DCS scanner reports the results to the central management database for inspection, reporting, and querying. The result files are generated for each file in the input SCAP data stream and are stored on the agent computer and domain manager (if configured) for verification.
The Common Vulnerabilities and Exposures (CVE) standard is a list or dictionary that provides standard identifiers for publicly known information security vulnerabilities and software flaws. The compliance check results produced by Client Automation include the relevant CVE ID references in the output for every rule checked, provided such references are included in the checklist definition itself. The CVE information is stored in the patch result XML file generated by the scanner and is available in the agent's working directory for inspection and verification.
In SCAP data streams, OVAL content meant for the detection of applications, patches, or vulnerabilities can contain CVE ID references identifying the exact element in the CVE list. The FDCC checklists for Windows XP and IE7 contain separate OVAL files dedicated to this purpose and include CVE IDs.
When processing these SCAP data streams, the generated OVAL result files also include the CVE ID references for each OVAL definition. Additionally, the inventory data presented for the target computer in the DSM Explorer contain a Detailed patch results group where every OVAL definition meant for detecting patches or vulnerabilities has its own subgroup. This subgroup contains a CVE References table wherever the OVAL definition has such references defined in the SCAP data stream itself. Each CVE reference contains the CVE URL and NVD URL. The DSM Explorer allows browsing directly to these URLs.
Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. For example, you can use CCE Identifiers to associate checks in configuration assessment tools with statements in configuration best-practice documents.
In an SCAP data stream, references to CCE IDs can be present in either the XCCDF file or in OVAL files. In the XCCDF file, the CCE reference takes the form of <ident> tags listing CCE IDs associated with each rule in the list. If the CCE IDs are present in the XCCDF file, DCS includes these references for each rule result. This information is available both in the generated XCCDF result file and in the inventory data sent to the database. In the DSM Explorer, the CCE reference information is available under Inventory, SCAP, Checklist Name, Rule Results, Rule Name, Idents.
The OVAL files can contain CCE IDs associated with each OVAL definition that are contained in <reference> tags. If such references are present, they are included in the OVAL result files generated while processing the OVAL definitions.
CCE references and results are also available with the set of result files under the name <machine>-<checklist>-xccdf-CCE-result.txt.
All the FDCC checklists packaged with Client Automation include CCE ID references both in the XCCDF files and the OVAL files. The name and location of the output files can be viewed from the DSM Explorer under the Inventory, SCAP, Checklist Inventory Component, Status group.
Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, platforms, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name.
An SCAP data stream can optionally include a CPE dictionary that maps CPE names to OVAL definitions that test for the presence of the OS or application identified by that CPE name. DCS uses this dictionary when the XCCDF file from the data stream contains <platform> tags, which indicate that the XCCDF file requires the presence of the specified CPE name. All the packaged FDCC checklists contain CPE dictionary files and their reference in the XCCDF files. The XCCDF results files contain the CPE names in the <platform> tags to indicate a successful platform test for the entire checklist. The name and location of the output files can be viewed from the DSM Explorer under the Inventory, SCAP, Checklist Inventory Component, Status group.
The Common Vulnerability Scoring System (CVSS) standard provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model helps ensure repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. Two common uses of CVSS are prioritization of vulnerability remediation activities and calculation of the severity of vulnerabilities discovered on computers. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.
For every patch or vulnerability, CVE ID references are provided in the DSM Explorer. The DSM Explorer also provides detailed patch results that contain the CVE URL and the NVD URL. The user can use the URL to visit the National Institute of Standards and Technology (NIST) web page for the corresponding CVE ID's entry in the NVD. This database entry includes the CVSS score and additional information about the vulnerability. The CVE reference details are available under the Inventory, SCAP, Checklist Inventory Component, Detailed patch results group.
eXtensible Configuration Checklist Description Format (XCCDF) is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational customization, automated compliance testing, and compliance scoring.
DCS reads the XCCDF file and scans the target computers based on the rules given in the XCCDF file. The scanner generates an inventory file that contains the results for each rule in the XCCDF file. The XCCDF output file is stored in the agent's working directory on each agent computer. The results for each rule and the final scores are displayed in the DSM Explorer under Inventory, SCAP, Checklist Inventory Component, Rule Results.
You can view the name and location of the XCCDF files and generated result files in the DSM Explorer under Inventory, SCAP, Checklist Inventory Component, Status group.
Client Automation implements the Open Vulnerability and Assessment Language (OVAL) standard. OVAL is an international, information security, community standard used to promote open and publicly available security content. Its goal is to standardize the transfer of this information across the entire spectrum of security tools and services.
Checklist rule definitions in XCCDF files typically use references to OVAL definitions in OVAL files as the way to indicate how to check a target computer for compliance with the rule. Similarly, CPE names listed in the CPE dictionary also use references to OVAL definitions to specify how to check for the presence of a piece of software indicated by the name. All of the bundled DCS SCAP data streams contain at least one OVAL file for each of these purposes.
For each evaluated OVAL file, the OVAL interpreter produces an OVAL results file in the agent's working directory. You can view the name and location of all the OVAL files and generated result files in the DSM Explorer under Inventory, SCAP, Checklist Inventory Component, Status group.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|