Scap Compliance Checker 4.2 User Manual
- The installer command line arguments changed from SCC 4.1 to 4.2. Refer to SCC's User Manual for complete instructions, but in short: /HELP, /? Shows a summary of this information. Ignored if the UseSetupLdr Setup section directive was set to no. /SP- Disables the 'This will install. Do you wish to continue?' Prompt at the beginning of Setup.
- Security content automation protocol (SCAP) compliance checker v. 4.1.1 Enterprise system security maintenance The National Institute of Standards and Technology (NIST) developed SCAP to assist government IT system administrators in configuring IT products, to provide greater levels of security, and produce evidence of compliance to high-level.
- SCAP Workbench is a tool that can open XCCDF or SDS files and allows the user to evaluate either local or remote machine using the content in the opened file.
That fit into an SCAP-compatible architecture NIST SP800-126: Security Content Automation Protocol Specification –Technical overview of SCAP NIST IR-7511: SCAP Version 1.0 Validation Program Test Requirements –Detailed technical requirements for tools that wish to be validated as SCAP compliant What Defines SCAP Page 5. That fit into an SCAP-compatible architecture NIST SP800-126: Security Content Automation Protocol Specification –Technical overview of SCAP NIST IR-7511: SCAP Version 1.0 Validation Program Test Requirements –Detailed technical requirements for tools that wish to be validated as SCAP compliant What Defines SCAP Page 5.
Vendor Provided Validation Details - LANDesk Security
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.
SCAP Implementation
LANDesk Security Suite 9.0 Extensions for Federal Desktops (LDSS-FDCC) are built around support for the Security Content Automation Protocol (SCAP).SCAP is a collection of six open standards developed jointly by the government and private sector.Security content written to the SCAP standard can by used by any product that supports the standard.This allows regulatory authorities and configuration managers a means to construct much more definitive guidance than was possible in the past.The guidance is written in the standard format and passed to security products for automated processing and reporting; common input and common output.LDSS-FDCC includes support for all six protocols.It uses the XCCDF and OVAL assessment protocols to determine what items to check and how to check them.It uses the
Jul 31, 2011 Full HD User Manual for Aftermaket DVD GPS Multimedia Car Stereo SatNav Sat Nav Navi Navigation. Page 1 User Manual Car Entertainment and Navigation System Android series Android series In order to use the device in the correct way, please read the manual carefully. We will not notice you the specification or design update of due to the. Page 2 Foreword Thank you for choosing the car audio-visual navigation system of this company! User manual car multimedia system gps navigation. Android Car Navigation User Manual. NAVI Navigation Click to enter into GPS navigation interface. Insert the appropriate memory card, multimedia file system can read the card. 6 USB USB Socket ①Connect other devices by USB socket. ②Connecting an external WIFI/3G dongle.
Exports provided by the LDSS-FDCC include the Tiger.xml format.This format was developed to insulate users and administrators from the intricacies and evolutions of the SCAP languages.Tiger was designed to give any product a fast track to SCAP compatibility and validation.
CVE Implementation
Scap Compliance Checker 4.2 User Manual Download
LDSS-FDCC includes support for Common Vulnerabilities and Exposures (CVE) names.CVE provides standardized references to known vulnerabilities.This unique identifier provides a common way to refer to vulnerabilities.CVE is the oldest of the six protocols and is directed at vulnerabilities rather than compliance items.Patch content can optionally refer to CVE names, allowing the end user to track attack vectors associated with missing patches.The XCCDF and OVAL compliance checks currently do not reference CVE names. LDSS-FDCC raises the CVE references from the SCAP patch content to populate the XML exports, which are then viewable in the browser.The CVE name is included in references section of the LDSS-FDCC XSL transform.For each patch check listed in the tree.LDSS-FDCC can also perform vulnerability assessments using the included Open Vulnerability and Assessment Language (OVAL) content.The References section includes the CVE name and a link to the NVD site for each CVE name.
LDSS-FDCC includes support for Common Configuration Enumeration (
By including
Exports provided by the LDSS-FDCC include the Tiger.xml format.This format was developed to insulate integrators from the intricacies and evolutions of the SCAP languages.Each configuration check includes the
LDSS-FDCC includes automated support for the Common Platform Enumeration (
The SCAP data stream provides OVAL-based checks that precisely determine whether or not a benchmark applies to a network asset.Compatible tools can use these tests to decide whether or not to assess a benchmark; they can also use this check to filter the list of available benchmarks for a selected network asset. LDSS-FDCC executes the
CVSS Implementation
LDSS-FDCC provides support for the Common Vulnerability Scoring System (CVSS).CVSS represents a standardized approach to measuring the impacts of IT vulnerabilities.Each CVE includes an associated CVSS vector for use in calculating the relative severity of vulnerabilities.The SCAP data stream currently uses a flat scoring methodology, giving all compliance checks the same 'weight' (level of importance).These weights are compatible with CVSS scoring.NIST, through their National Vulnerability Database (NVD), plans to include CVSS vectors and scores for each
XCCDF Implementation
Scap Compliance Checker Download
LDSS-FDCC includes seamless support for the eXtensible Configuration Checklist Description Format (XCCDF).XCCDF specifies system settings for automated tools to assess.XCCDF specifies what to check.It is the primary protocol required to process the SCAP data stream.The Secutor XCCDF interpreting engine has been exercised by thousands of users in hundreds of Federal Agencies, hundreds of commercial sites, and over fifty countries.Compliance checklist content, like those developed by NIST for the Federal Desktop Core Configuration (
OVAL Implementation
LDSS-FDCC includes fully integrated support for the Open Vulnerability and Assessment Language (OVAL) standard.OVAL specifies a standardized approach for assessing each system setting.While XCCDF describes what to check, OVAL specifies how to perform the check.LDSS-FDCC includes a mature commercial OVAL interpreter.The OVAL interpreter was engineered to assess local computers and remote targets using agentless 'over the wire' technology.LDSS-FDCC automatically processes the OVAL definition content as referenced in the XCCDF file to perform assessment activities.LDSS-FDCC has an option to bypass the XCCDF file and process OVAL vulnerability content files to perform vulnerability assessments.
Many questions arise at the mention of the Security Content Automation Protocol (SCAP): What is it, how does it..
work, and how can it be useful for an enterprise?
This tip is intended to offer some background on what SCAP is and when and how an organization would benefit by relying on this protocol to enhance enterprise security.
What is SCAP?
According to SCAP NIST guidance (.pdf), SCAP -- pronounced as either 'S-CAP' (ESS'-cap) or as each letter individually: S-C-A-P -- is:
'…a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information.'
SCAP was developed to 1) organize, 2) express and 3) measure security information in standardized ways, thus providing an automated approach to maintaining the security of enterprise systems.
More specifically, the NIST guidance lists three ways in which SCAP can be used to maintain the security of enterprise systems, including:
- Automatically verifying the installation of patches;
- Checking system security configuration settings, and;
- Examining systems for signs of compromise.
The primary driver for SCAP's development is to help organizations that need to comply with the U.S. Federal Desktop Core Configuration (FDCC) and the United States Government Configuration Baseline (USGCB)1 initiative, which has evolved from the Federal Desktop Core Configuration mandate requirements. SCAP-validated scanning tools can be used to scan affected systems and provide reports regarding whether those systems are compliant with FDCC. This is a time-saver and will help organizations be more readily prepared for audits that require FDCC compliance.
SCAP has two major elements:
First, it is a protocol. SCAP is a suite of four open specifications that standardize the format and nomenclature by which software communicates information about publically known software flaws and security configurations annotated with common identifiers and embedded in XML. Essentially this is a means of establishing some automated 'on/off' switches when checking to see if a server or desktop is compliant with the standard in question. This is practical because the output is a standardized, non-proprietary format that can be used across different organizations. Each specification is known as an SCAP component. (NIST also gives more information on SCAP v1.0 components.)
- Second, SCAP includes software flaw and security configuration standard reference data, also known as SCAP content. This reference data is provided by the National Vulnerability Database (NVD), which is managed by NIST and sponsored by the Department of Homeland Security (DHS). SCAP content is available on the NVD.
So, there's SCAP content (i.e., reference data) and SCAP components (i.e., security specifications). In order to make these work effectively, the SCAP authors have integrated the SCAP content and the SCAP components into SCAP-expressed checklists that use a standardized language to express what platform is being discussed (think Common Platform Enumeration (CPE)) and what security settings should be addressed (think Common Configuration Enumeration (CCE)). It would also be possible to use the checklists in a manual manner to set up the system in question. However, the number of settings is substantial, and, as such, an automated system like SCAP is preferred.
The National Checklist Program (NCP) website is the repository for SCAP-expressed checklists.
An example of a checklist page from this website for FDCC Windows XP is shown in Figure 1 below:
Click to enlarge
Figure 1:Checklist for FDCC Windows XP
As a note, if you look at the Supporting Resources section of this page, there is a 'Human Readable' or 'prose' version of the settings that, when downloaded, provides a spreadsheet of the policy setting and name, the CCE reference, the registry setting, as well as the description and what the Federal Desktop Configuration should be for each policy (e.g., Disabled, Enabled, etc.). An example of the spreadsheet is shown in Figure 2.
Click to enlarge
Figure 2: Human Readable Version of FDCC Settings
Each checklist is assigned a tier relative to its automation operability as pertains to the SCAP protocol. The tiers are designated as I - IV.
Tier I checklists are prose-based, i.e., narrative descriptions of how a person can manually alter a product's configuration.
Tier II checklists tend to list the recommended security settings in a proprietary, machine-readable format.
Tier III checklists use the SCAP protocol to document their recommended security settings in machine-readable, standardized SCAP formats.
- Tier IV checklists include all the properties of the Tier III checklists. Additionally, they are considered production-ready and have been validated by NIST to ensure interoperability with SCAP-validated products. Tier IV checklists also demonstrate the ability to map low-level security settings to high-level security requirements as represented in such frameworks as SP 800-53 controls for FISMA. (Note: all the FDCC Checklists are tier IV in the National Vulnerability Database.)
Of note, organizations obligated to comply with federal mandate for SCAP are required to use the highest tier for their computer security automation. Also, there are plans for a Content Validation Program to allow vendors or anyone else to have their content posted to the NVD as Tier III or Tier IV content. However, a date for when this will be implemented is not currently available.
How can an enterprise take advantage of SCAP?
According to NIST, organizations interested in taking advantage of SCAP tools (.pdf) should adhere to the following recommendations as noted in the publication:
Use SCAP-expressed security configuration checklists to automatically improve and monitor a system's security. The SCAP-expressed checklists help automatically generate assessment and compliance evidence and can be downloaded from the National Checklist Program website referred to above. It is important to note, however, that the current version of SCAP does not fix or correct any discrepancies noted between actual configuration and the checklist –- that is anticipated for future SCAP tools and is already in some proprietary applications.
Take advantage of SCAP to demonstrate compliance with high-level security requirements that originate from mandates, standards and guidelines, such as FDCC. This also can help an agency be better prepared for a FISMA audit.
Use standardized SCAP enumerations, identifiers and product names such as Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE) and Common Platform Enumeration (CPE) nomenclature. In other words, use a common language so descriptions of vulnerabilities or exposures operate with the same terminology and reference the same MITRE CVE/CCE/CPE database. This allows organizations to better understand the system vulnerabilities and affected configurations when cross-talking between organizations and referring to security-related software flaws, security configuration issues and platforms.
Use SCAP for quantitative and repeatable vulnerability measurement and scoring through the combination of Common Vulnerability Scoring System (CVSS), CVE and CPE. Because SCAP does provide for some scoring during the analyses, you can use the scores to plot and establish trends, comparisons, etc.
Acquire and use SCAP-validated products. U.S. Federal agencies and those companies supporting U.S. government agencies must use SCAP-validated FDCC scanners for testing and assessing FDCC compliance.
Of note, NIST has established both an SCAP product-validation program and a National Voluntary Laboratory Accreditation Program (NVLAP). These programs are coordinated to ensure the SCAP products are effectively tested and validated to conform to SCAP requirements. NIST maintains a list of accredited laboratories and currently validated products. A graphic showing some of the currently validated products is shown in Figure 3.
Click to enlarge
Figure 3: SCAP Validated Products (Examples)- Adopt SCAP and use its capabilities when developing software and/or security checklists, thus verifying the software provides the ability to assess underlying software configuration settings rather than relying on more costly manual checks or proprietary checking mechanisms.
In addition to the NIST SP 800-117 suggestions above, Karen Scarfone, a computer scientist and project manager with NIST, gave an excellent SCAP Overview Presentation (.pdf) that noted these common uses of SCAP:
Perform security configuration verification: Here you can use an SCAP-expressed checklist and compare it to a system's actual configuration. You can verify and audit a system before deployment using these checklists. Also, you can map individual system settings to high-level requirements such as FDCC, etc. using the checklist capability.
- Check system for signs of security compromise: If you know the characteristics of the attacks, then you can check for altered files or the presence of a malicious service. For example, if you know the attack alters a specific .dll file, then you can check for any particular changes to the associated file.
Benefits
SCAP is moving along and is being implemented primarily due to federal mandate by the U.S. Office of Management and Budget. SCAP v1.0 is being adopted and products are being developed and tested for accreditation by NIST-approved laboratories. Version 1.1 was expected in late 2010 and candidate specifications for version 1.2 are already under review, per Karen Scarfone.
What are the potential organizational benefits of using SCAP? Here are a few:
By using SCAP, you can increase automation and reduce manual effort to obtain assessment results, determine those corrective actions needed and thus provide substantial cost savings.
Because you are using the common language mandated by SCAP, the resulting XML-coded results will allow for easier communication of results across the other SCAP system users. Also, this will allow for easier comparison of issue sets between security organizations because the vulnerabilities are described using the same codex of CVSS, CVE and CPE.
By using SCAP-validated products, organizations are more likely to be better prepared for FDCC audits.
- A primary benefit of SCAP content is the ability to make and modify your own checklists. You are not obligated to use only the FDCC /USGCB content unless you are under the government mandate.
I suspect we will all hear more about SCAP implementation in the future, and, with the newer versions of the protocol, there will be even more potential benefits for automated security.
1The United States Government Configuration Baseline (USGCB) will be the successor to FDCC and will contain Win 7 as well as other operating system coverage like Red Hat, Solaris, etc… when their content is finalized. USGCB is expected to be incorporated into SCAP 1.1.
About the author:
Ernest N. Hayden (Ernie), CISSP, CEH, is an experienced information security professional and technology executive , providing thought leadership for more than 10 years in the areas of information security, cybercrime/cyberwarfare, business continuity/disaster recovery planning, leadership, management and research. Based in Seattle, Hayden holds the title of “managing principal – energy security” at Verizon’s Global Energy & Utilitiespractice, devoting much of his time to energy, utility and smart grid security on a global basis. Prior to his current position at Verizon, Hayden held roles as an information security officer/manager at the Port of Seattle, Group Health Cooperative (Seattle), and Seattle City Light. Hayden’s independent advice does not necessarily reflect all positions held by Verizon. Read more of Hayden’s expert adviceon his contributions to the Verizon Think Forward blog. Submit questions or comments for Ernie Hayden via email at editor@searchsecurity.com.