Setting up the SCAP environment
To use Security Content Automation Protocol (SCAP) features, you must perform the following steps:
Obtaining SCAP contentSecurity Content Automation Protocol (SCAP) content is provided as XML files, which define checklists and rules for SCAP compliance scanning. You can obtain SCAP content from any source. A common source is the NIST SCAP content website at http://scap.nist.gov/content/. Many other organizations and companies provide SCAP content, or you can import custom content. Regardless of the source of the content, it must be well-formed XML and validated without major errors. The import process creates a log file of all validation errors.
SCAP content is provided as XML files. Details of these XML files depend on the SCAP version:
SCAP version 1.2: A single XML file for each source data stream collection.
You select this XML file when you import SCAP 1.2 content.
BMC Server Automation supports schemas for OVAL version 220.127.116.11 and earlier, but does not yet fully support the newest OVAL schema version 5.11. Changing the OVAL schema version in an XML file that you obtain (that is, changing the
oval:schema_versiontag within the
generatorelement) from 5.11 to 5.10 is NOT recommended. Such a change can have unpredictable results when you attempt to import the SCAP content or to create and run an SCAP Compliance Job based on this SCAP content.
SCAP version 1.0:SCAP benchmark content typically includes the following XML files:
- XCCDF file (<xxx>-xccdf.xml)
- Generic OVAL file (<xxx>-oval.xml)
- Platform-specific OVAL file (<xxx>-oval-cpe.xml)
- (Optional) Patches file (<xxx>-patches.xml)
- Source-specific platform dictionary (<xxx>-cpe-dictionary.xml)
To prepare SCAP content
- Download the SCAP content file or group of files from a website or other source to a system that is a BMC Server Automation managed server. Alternatively, you can create custom SCAP files and place them on a managed server.
- For SCAP version 1.0 content: Ensure that all files referenced in the XCCDF file are present in the same folder with the XCCDF file.
The following example shows two sets of SCAP 1.0 content files ready for import.
Installing the RSCD agent for SCAP analysis
All target servers that you want to include in an SCAP Compliance Job must be running an RSCD agent, version 8.2 or later.
The OVAL interpreter is installed automatically with the RSCD agent on supported platforms. No special actions are required to install the OVAL interpreter.
To install the RSCD agent and OVAL interpreter
See one of the following sources:
- Installing for RSCD agent installation information.
- Upgrading the RSCD agent on Linux and UNIX and Upgrading RSCD agents on Windows for RSCD agent upgrade information.
Establishing role-based permissions for SCAP
To import Security Content Automation Protocol (SCAP) content, create and run SCAP Compliance Jobs, and view results, administrators must be assigned a role that includes the necessary permissions.
To facilitate division of responsibilities, you can assign all required permissions to one role or divide them between several roles. See Managing access for more details.
The blcontent.exe script included with BMC Server Automation includes sample roles and authorization profiles for SCAP-specific activities. For more information about blcontent.exe, see Loading prepackaged content.
The following permissions control SCAP activities:
Define permissions for
Controls the ability to
|ScapDataStream.*||Import SCAP data streams and access all associated files after import.|
Import SCAP benchmarks and access the CPE and OVAL files after import.
Access the XccdfBenchmark file after import. (This permission set is a subset of ScapContentFile.* permissions.)
Note: The permission set for XccdfBenchmark should be equal to or a subset of the SCAPContentFile permission set.
Create, Edit, Modify Targets, Modify Schedules, Modify Properties, Execute Job permissions for SCAP Compliance Jobs.
Create SCAP Jobs against servers.
Import objects into the Depot and access objects after import.
Sample Permission Sets
A role with the following permissions has full SCAP abilities:
BatchJob.* DepotFolder.* DepotGroup.* ExecutionTask.* JobFolder.* JobGroup.* SCAPComplianceJob.* ScapDataStream.* SCAPContentFile.* Server.Read Server.Audit ServerGroup.* XCCDFBenchmark.*
A role with the following permissions can import and view SCAP data stream collections and SCAP benchmarks but not delete them, and it does not have the ability to create SCAP Compliance Jobs:
DepotFolder.* DepotGroup.* XccdfBenchMark.Read XccdfBenchmark.Create ScapDataStream.Create ScapDataStream.Read ScapContentFile.Create ScapContentFile.Read
A role with the following permissions can create SCAP Compliance Jobs:
DepotFolder.Read DepotGroup.Read XccdfBenchmark.* SCAPContentFile.* ScapDataStream.* Server.Read Server.Audit ServerGroup.* JobFolder.* ScapComplianceJob.*