Setting up the SCAP environment

To use Security Content Automation Protocol (SCAP) features, you must perform the following steps:

  1. Obtain or prepare benchmark content.
  2. Install the latest RSCD versions on your target servers.
  3.  Grant appropriate permissions to user roles.

Obtaining SCAP content

Security Content Automation Protocol (SCAP) content is provided as XML files, which define checklists and rules for SCAP compliance scanning. You can obtain SCAP content from any source. A common source is the NIST SCAP content website at http://scap.nist.gov/content/. Many other organizations and companies provide SCAP content, or you can import custom content. Regardless of the source of the content, it must be well-formed XML and validated without major errors. The import process creates a log file of all validation errors. 

SCAP content is provided as XML files. Details of these XML files depend on the SCAP version:

  • SCAP version 1.2: A single XML file for each source data stream collection.
    You select this XML file when you import SCAP 1.2 content.

    Note

    BMC Server Automation supports schemas for OVAL version 5.10.1.7 and earlier, but does not yet fully support the newest OVAL schema version 5.11. Changing the OVAL schema version in an XML file that you obtain (that is, changing the oval:schema_version tag within the generator element) from 5.11 to 5.10 is NOT recommended. Such a change can have unpredictable results when you attempt to import the SCAP content or to create and run an SCAP Compliance Job based on this SCAP content.

  • SCAP version 1.0:SCAP benchmark content typically includes the following XML files:

    • XCCDF file (<xxx>-xccdf.xml)
    • Generic OVAL file (<xxx>-oval.xml)
    • Platform-specific OVAL file (<xxx>-oval-cpe.xml)
    • (Optional) Patches file (<xxx>-patches.xml)
    • Source-specific platform dictionary (<xxx>-cpe-dictionary.xml)
    During the import of an SCAP 1.0 benchmark, you select the XCCDF file. All the other XML files referenced in the XCCDF file must be stored in the same folder.

To prepare SCAP content

  1. Download the SCAP content file or group of files from a website or other source to a system that is a BMC Server Automation managed server. Alternatively, you can create custom SCAP files and place them on a managed server.
  2. For SCAP version 1.0 content: Ensure that all files referenced in the XCCDF file are present in the same folder with the XCCDF file.
    The following example shows two sets of SCAP 1.0 content files ready for import.

Installing the RSCD agent for SCAP analysis

All target servers that you want to include in an SCAP Compliance Job must be running an RSCD agent, version 8.2 or later.

The OVAL interpreter is installed automatically with the RSCD agent on supported platforms. No special actions are required to install the OVAL interpreter.

To install the RSCD agent and OVAL interpreter

See one of the following sources:

Establishing role-based permissions for SCAP

To import Security Content Automation Protocol (SCAP) content, create and run SCAP Compliance Jobs, and view results, administrators must be assigned a role that includes the necessary permissions.

To facilitate division of responsibilities, you can assign all required permissions to one role or divide them between several roles. See Managing access for more details.

Note

The blcontent.exe script included with BMC Server Automation includes sample roles and authorization profiles for SCAP-specific activities. For more information about blcontent.exe, see Loading prepackaged content.

The following permissions control SCAP activities:

Define permissions for

Controls the ability to

ScapDataStream.*Import SCAP data streams and access all associated files after import.

ScapContentFile.*

Import SCAP benchmarks and access the CPE and OVAL files after import.

XccdfBenchmark.*

Access the XccdfBenchmark file after import. (This permission set is a subset of ScapContentFile.* permissions.)

Note: The permission set for XccdfBenchmark should be equal to or a subset of the SCAPContentFile permission set.

SCAPComplianceJob.*
Jobfolder.*

Create, Edit, Modify Targets, Modify Schedules, Modify Properties, Execute Job permissions for SCAP Compliance Jobs.

Server.Read, Server.Audit
ServerGroup.*

Create SCAP Jobs against servers.

DepotFolder.*
DepotGroup.*

Import objects into the Depot and access objects after import.

Sample Permission Sets

A role with the following permissions has full SCAP abilities:

BatchJob.*
DepotFolder.*
DepotGroup.*
ExecutionTask.*
JobFolder.*
JobGroup.*
SCAPComplianceJob.*
ScapDataStream.*
SCAPContentFile.*
Server.Read
Server.Audit
ServerGroup.*
XCCDFBenchmark.*

A role with the following permissions can import and view SCAP data stream collections and SCAP benchmarks but not delete them, and it does not have the ability to create SCAP Compliance Jobs:

DepotFolder.*
DepotGroup.*
XccdfBenchMark.Read
XccdfBenchmark.Create
ScapDataStream.Create
ScapDataStream.Read
ScapContentFile.Create
ScapContentFile.Read

A role with the following permissions can create SCAP Compliance Jobs:

DepotFolder.Read
DepotGroup.Read
XccdfBenchmark.*
SCAPContentFile.*
ScapDataStream.*
Server.Read
Server.Audit
ServerGroup.*
JobFolder.*
ScapComplianceJob.*
Was this page helpful? Yes No Submitting... Thank you

Comments