Scap Compliance Checker 4.2 User Manual

Mar 01, 2011  Understanding SCAP NIST guidance and using SCAP tools to automate security. This is a time-saver and will help organizations be more readily prepared for audits that require FDCC compliance. That fit into an SCAP-compatible architecture NIST SP800-126: Security Content Automation Protocol Specification –Technical overview of SCAP NIST IR-7511: SCAP Version 1.0 Validation Program Test Requirements –Detailed technical requirements for tools that wish to be validated as SCAP compliant What Defines SCAP Page 5.

1. Scap Compliance Checker User Manual
2. Scap Compliance Checker 5.0 Download
3. Scap Compliance Checker 4.2 User Manual Free
4. Scap Compliance Checker 4.2
5. Scap Compliance Checker 4.2 User Manual Online

Vendor Provided Validation Details - LANDesk Security Suite 9.0 Extensions for Federal Desktops 3.2.1.46

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

SCAP Implementation

LANDesk Security Suite 9.0 Extensions for Federal Desktops (LDSS-FDCC) are built around support for the Security Content Automation Protocol (SCAP).SCAP is a collection of six open standards developed jointly by the government and private sector.Security content written to the SCAP standard can by used by any product that supports the standard.This allows regulatory authorities and configuration managers a means to construct much more definitive guidance than was possible in the past.The guidance is written in the standard format and passed to security products for automated processing and reporting; common input and common output.LDSS-FDCC includes support for all six protocols.It uses the XCCDF and OVAL assessment protocols to determine what items to check and how to check them.It uses the CPE, CCE, CVSS, and CVE reference protocols to ensure all rules are accurately and appropriately reflected in the system.The SCAP standard references are visible in the reports and export files.

Exports provided by the LDSS-FDCC include the Tiger.xml format.This format was developed to insulate users and administrators from the intricacies and evolutions of the SCAP languages.Tiger was designed to give any product a fast track to SCAP compatibility and validation.

CVE Implementation

LDSS-FDCC includes support for Common Vulnerabilities and Exposures (CVE) names.CVE provides standardized references to known vulnerabilities.This unique identifier provides a common way to refer to vulnerabilities.CVE is the oldest of the six protocols and is directed at vulnerabilities rather than compliance items.Patch content can optionally refer to CVE names, allowing the end user to track attack vectors associated with missing patches.The XCCDF and OVAL compliance checks currently do not reference CVE names. LDSS-FDCC raises the CVE references from the SCAP patch content to populate the XML exports, which are then viewable in the browser.The CVE name is included in references section of the LDSS-FDCC XSL transform.For each patch check listed in the tree.LDSS-FDCC can also perform vulnerability assessments using the included Open Vulnerability and Assessment Language (OVAL) content.The References section includes the CVE name and a link to the NVD site for each CVE name.

CCE Implementation

LDSS-FDCC includes support for Common Configuration Enumeration (CCE) references.CCE provides a standard notation and reference for configuration settings.The SCAP data stream contains CCE tags in the XCCDF documents.LDSS-FDCC raises the CCE references from the SCAP content to populate user interfaces, reports, and exports.

Craftsman lawn mower owner's manual download. View & download of more than 9340 Craftsman PDF user manuals, service manuals, operating guides. Lawn mower user manuals, operating guides & specifications. 815 Instruction Manuals and User Guides for Craftsman online. Read online or download owner's manuals and user guides for Craftsman.

By including CCE references in the content, SCAP supports a wide range of comparison possibilities.Configuration items can be tracked and compared across multiple systems using any combination of SCAP compatible tools.LDSS-FDCC fully supports this concept of interoperability by simply processing the SCAP content as intended.

Exports provided by the LDSS-FDCC include the Tiger.xml format.This format was developed to insulate integrators from the intricacies and evolutions of the SCAP languages.Each configuration check includes the CCE reference, enabling the integrator to easily process SCAP data properly.Tiger was designed to give any product a fast track to SCAP compatibility and validation; CCE is a key ingredient.

CPE Implementation

LDSS-FDCC includes automated support for the Common Platform Enumeration (CPE) standard. CPE provides a standard notation and reference to operating systems and applications.An operating system can be referred to in many different ways such as 'Windows XP' vs. 'Microsoft Windows XP'.CPE introduces a standard notation, such as 'cpe:/o:microsoft:windows_xp' and 'cpe:/a:microsoft:ie:7', enabling products to share SCAP results without pre-coordinating operating system and application references.

The SCAP data stream provides OVAL-based checks that precisely determine whether or not a benchmark applies to a network asset.Compatible tools can use these tests to decide whether or not to assess a benchmark; they can also use this check to filter the list of available benchmarks for a selected network asset. LDSS-FDCC executes the CPE check to automatically select benchmarks that are applicable to a target system.The user simply defines a network asset to assess, and LDSS-FDCC automatically determines which benchmarks to assess.The user can introduce or remove any benchmark at will; the product applies all available and applicable benchmarks to the target.The LDSS-FDCC report and export files also include the applicable operating system or application CPE reference.

CVSS Implementation

LDSS-FDCC provides support for the Common Vulnerability Scoring System (CVSS).CVSS represents a standardized approach to measuring the impacts of IT vulnerabilities.Each CVE includes an associated CVSS vector for use in calculating the relative severity of vulnerabilities.The SCAP data stream currently uses a flat scoring methodology, giving all compliance checks the same 'weight' (level of importance).These weights are compatible with CVSS scoring.NIST, through their National Vulnerability Database (NVD), plans to include CVSS vectors and scores for each CCE compliance item.That will enable LDSS-FDCC to provide a more informative view of the relative impact of mis-configuration issues.Likewise, the product libraries include a CVSS calculator which can be used to calculate a score (from 0 to 10) given a CVSS vector.The XML transform for the Tiger.xml output also includes links to the NVD to view the CVSS vectors, giving the user access to the online CVSS calculator hosted at NIST.

XCCDF Implementation

LDSS-FDCC includes seamless support for the eXtensible Configuration Checklist Description Format (XCCDF).XCCDF specifies system settings for automated tools to assess.XCCDF specifies what to check.It is the primary protocol required to process the SCAP data stream.The Secutor XCCDF interpreting engine has been exercised by thousands of users in hundreds of Federal Agencies, hundreds of commercial sites, and over fifty countries.Compliance checklist content, like those developed by NIST for the Federal Desktop Core Configuration (FDCC), is written in the standard XCCDF format.These files are included with LDSS-FDCC and are used by the product to generate the groups and lists of rules to be checked.The product then uses information from the XCCDF file to perform the assessment as specified in the accompanying Open Vulnerability and Assessment Language (OVAL) file.LDSS-FDCC generates and displays assessment results in a browser using XML transforms.Reports and export are also based on the structure and content of the XCCDF benchmark.

OVAL Implementation

LDSS-FDCC includes fully integrated support for the Open Vulnerability and Assessment Language (OVAL) standard.OVAL specifies a standardized approach for assessing each system setting.While XCCDF describes what to check, OVAL specifies how to perform the check.LDSS-FDCC includes a mature commercial OVAL interpreter.The OVAL interpreter was engineered to assess local computers and remote targets using agentless 'over the wire' technology.LDSS-FDCC automatically processes the OVAL definition content as referenced in the XCCDF file to perform assessment activities.LDSS-FDCC has an option to bypass the XCCDF file and process OVAL vulnerability content files to perform vulnerability assessments. 2014 ford focus se user manual.

Many questions arise at the mention of the Security Content Automation Protocol (SCAP): What is it, how does it..

work, and how can it be useful for an enterprise?

This tip is intended to offer some background on what SCAP is and when and how an organization would benefit by relying on this protocol to enhance enterprise security.

What is SCAP?
According to SCAP NIST guidance (.pdf), SCAP -- pronounced as either 'S-CAP' (ESS'-cap) or as each letter individually: S-C-A-P -- is:

'…a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information.'

SCAP was developed to 1) organize, 2) express and 3) measure security information in standardized ways, thus providing an automated approach to maintaining the security of enterprise systems.

More specifically, the NIST guidance lists three ways in which SCAP can be used to maintain the security of enterprise systems, including:

• Automatically verifying the installation of patches;
• Checking system security configuration settings, and;
• Examining systems for signs of compromise.

The primary driver for SCAP's development is to help organizations that need to comply with the U.S. Federal Desktop Core Configuration (FDCC) and the United States Government Configuration Baseline (USGCB)¹ initiative, which has evolved from the Federal Desktop Core Configuration mandate requirements. SCAP-validated scanning tools can be used to scan affected systems and provide reports regarding whether those systems are compliant with FDCC. This is a time-saver and will help organizations be more readily prepared for audits that require FDCC compliance.

Scap Compliance Checker User Manual

SCAP has two major elements:

• First, it is a protocol. SCAP is a suite of four open specifications that standardize the format and nomenclature by which software communicates information about publically known software flaws and security configurations annotated with common identifiers and embedded in XML. Essentially this is a means of establishing some automated 'on/off' switches when checking to see if a server or desktop is compliant with the standard in question. This is practical because the output is a standardized, non-proprietary format that can be used across different organizations. Each specification is known as an SCAP component. (NIST also gives more information on SCAP v1.0 components.)

• Second, SCAP includes software flaw and security configuration standard reference data, also known as SCAP content. This reference data is provided by the National Vulnerability Database (NVD), which is managed by NIST and sponsored by the Department of Homeland Security (DHS). SCAP content is available on the NVD.

So, there's SCAP content (i.e., reference data) and SCAP components (i.e., security specifications). In order to make these work effectively, the SCAP authors have integrated the SCAP content and the SCAP components into SCAP-expressed checklists that use a standardized language to express what platform is being discussed (think Common Platform Enumeration (CPE)) and what security settings should be addressed (think Common Configuration Enumeration (CCE)). It would also be possible to use the checklists in a manual manner to set up the system in question. However, the number of settings is substantial, and, as such, an automated system like SCAP is preferred.

The National Checklist Program (NCP) website is the repository for SCAP-expressed checklists.

An example of a checklist page from this website for FDCC Windows XP is shown in Figure 1 below:

Click to enlarge
Figure 1:Checklist for FDCC Windows XP

As a note, if you look at the Supporting Resources section of this page, there is a 'Human Readable' or 'prose' version of the settings that, when downloaded, provides a spreadsheet of the policy setting and name, the CCE reference, the registry setting, as well as the description and what the Federal Desktop Configuration should be for each policy (e.g., Disabled, Enabled, etc.). An example of the spreadsheet is shown in Figure 2.

Click to enlarge
Figure 2: Human Readable Version of FDCC Settings

Each checklist is assigned a tier relative to its automation operability as pertains to the SCAP protocol. The tiers are designated as I - IV.

• Tier I checklists are prose-based, i.e., narrative descriptions of how a person can manually alter a product's configuration.

• Tier II checklists tend to list the recommended security settings in a proprietary, machine-readable format.

• Onida black beauty microwave oven user manual. Tier III checklists use the SCAP protocol to document their recommended security settings in machine-readable, standardized SCAP formats.

• Tier IV checklists include all the properties of the Tier III checklists. Additionally, they are considered production-ready and have been validated by NIST to ensure interoperability with SCAP-validated products. Tier IV checklists also demonstrate the ability to map low-level security settings to high-level security requirements as represented in such frameworks as SP 800-53 controls for FISMA. (Note: all the FDCC Checklists are tier IV in the National Vulnerability Database.)

Of note, organizations obligated to comply with federal mandate for SCAP are required to use the highest tier for their computer security automation. Also, there are plans for a Content Validation Program to allow vendors or anyone else to have their content posted to the NVD as Tier III or Tier IV content. However, a date for when this will be implemented is not currently available.

How can an enterprise take advantage of SCAP?
According to NIST, organizations interested in taking advantage of SCAP tools (.pdf) should adhere to the following recommendations as noted in the publication:

• Use SCAP-expressed security configuration checklists to automatically improve and monitor a system's security. The SCAP-expressed checklists help automatically generate assessment and compliance evidence and can be downloaded from the National Checklist Program website referred to above. It is important to note, however, that the current version of SCAP does not fix or correct any discrepancies noted between actual configuration and the checklist –- that is anticipated for future SCAP tools and is already in some proprietary applications.

• Take advantage of SCAP to demonstrate compliance with high-level security requirements that originate from mandates, standards and guidelines, such as FDCC. This also can help an agency be better prepared for a FISMA audit.

• Use standardized SCAP enumerations, identifiers and product names such as Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE) and Common Platform Enumeration (CPE) nomenclature. In other words, use a common language so descriptions of vulnerabilities or exposures operate with the same terminology and reference the same MITRE CVE/CCE/CPE database. This allows organizations to better understand the system vulnerabilities and affected configurations when cross-talking between organizations and referring to security-related software flaws, security configuration issues and platforms.

• Use SCAP for quantitative and repeatable vulnerability measurement and scoring through the combination of Common Vulnerability Scoring System (CVSS), CVE and CPE. Because SCAP does provide for some scoring during the analyses, you can use the scores to plot and establish trends, comparisons, etc.

• Acquire and use SCAP-validated products. U.S. Federal agencies and those companies supporting U.S. government agencies must use SCAP-validated FDCC scanners for testing and assessing FDCC compliance.

  Of note, NIST has established both an SCAP product-validation program and a National Voluntary Laboratory Accreditation Program (NVLAP). These programs are coordinated to ensure the SCAP products are effectively tested and validated to conform to SCAP requirements. NIST maintains a list of accredited laboratories and currently validated products. A graphic showing some of the currently validated products is shown in Figure 3.

  
  Click to enlarge
  Figure 3: SCAP Validated Products (Examples)

• Adopt SCAP and use its capabilities when developing software and/or security checklists, thus verifying the software provides the ability to assess underlying software configuration settings rather than relying on more costly manual checks or proprietary checking mechanisms.

In addition to the NIST SP 800-117 suggestions above, Karen Scarfone, a computer scientist and project manager with NIST, gave an excellent SCAP Overview Presentation (.pdf) that noted these common uses of SCAP:

Scap Compliance Checker 5.0 Download

• Perform security configuration verification: Here you can use an SCAP-expressed checklist and compare it to a system's actual configuration. You can verify and audit a system before deployment using these checklists. Also, you can map individual system settings to high-level requirements such as FDCC, etc. using the checklist capability.

• Check system for signs of security compromise: If you know the characteristics of the attacks, then you can check for altered files or the presence of a malicious service. For example, if you know the attack alters a specific .dll file, then you can check for any particular changes to the associated file.

Benefits
SCAP is moving along and is being implemented primarily due to federal mandate by the U.S. Office of Management and Budget. SCAP v1.0 is being adopted and products are being developed and tested for accreditation by NIST-approved laboratories. Version 1.1 was expected in late 2010 and candidate specifications for version 1.2 are already under review, per Karen Scarfone.

Scap Compliance Checker 4.2 User Manual Free

What are the potential organizational benefits of using SCAP? Here are a few:

• By using SCAP, you can increase automation and reduce manual effort to obtain assessment results, determine those corrective actions needed and thus provide substantial cost savings.

• Because you are using the common language mandated by SCAP, the resulting XML-coded results will allow for easier communication of results across the other SCAP system users. Also, this will allow for easier comparison of issue sets between security organizations because the vulnerabilities are described using the same codex of CVSS, CVE and CPE.

• By using SCAP-validated products, organizations are more likely to be better prepared for FDCC audits.

• A primary benefit of SCAP content is the ability to make and modify your own checklists. You are not obligated to use only the FDCC /USGCB content unless you are under the government mandate.

I suspect we will all hear more about SCAP implementation in the future, and, with the newer versions of the protocol, there will be even more potential benefits for automated security.

Scap Compliance Checker 4.2

¹The United States Government Configuration Baseline (USGCB) will be the successor to FDCC and will contain Win 7 as well as other operating system coverage like Red Hat, Solaris, etc… when their content is finalized. USGCB is expected to be incorporated into SCAP 1.1.

Scap Compliance Checker 4.2 User Manual Online

About the author:
Ernest N. Hayden (Ernie), CISSP, CEH, is an experienced information security professional and technology executive , providing thought leadership for more than 10 years in the areas of information security, cybercrime/cyberwarfare, business continuity/disaster recovery planning, leadership, management and research. Based in Seattle, Hayden holds the title of “managing principal – energy security” at Verizon’s Global Energy & Utilitiespractice, devoting much of his time to energy, utility and smart grid security on a global basis. Prior to his current position at Verizon, Hayden held roles as an information security officer/manager at the Port of Seattle, Group Health Cooperative (Seattle), and Seattle City Light. Hayden’s independent advice does not necessarily reflect all positions held by Verizon. Read more of Hayden’s expert adviceon his contributions to the Verizon Think Forward blog. Submit questions or comments for Ernie Hayden via email at editor@searchsecurity.com.