×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Space banner

   

This version of the product has reached end of support. The documentation is available for your convenience. However, you must be logged in to access it. You will not be able to leave comments.
BMC Client Management 12.8 ... Using Managing compliance SCAP Implementation Statement

Compatibility

SCAP 1.2 Compatibility

BMC Client Management conforms to the specifications of the Security Content Automation Protocol, version 1.2 (SCAP 1.2), as outlined in NIST Special Publication (SP) 800-126 rev 2. As part of the SCAP 1.2 protocol, BMC Client Management assessment capabilities were expanded to include the consumption of source data stream collection XML files and the generation of well-formed SCAP result data streams.

To exercise this capability, users can download the SCAP 1.2 content from the NIST NVD National Checklist Program repository, or any other source of SCAP 1.2 compliant content, and perform assessments in a similar manner as with BMC Client Management custom compliance.

The following table provides a summary of the individual SCAP Component Standards supported by BMC Client Management as is required by the SCAP 1.2 specifications:

Component

Version

Description

AI

1.1

Asset Identification (AI) is a format for uniquely identifying assets based on known identifiers and/or known information about the assets. Utilizing the AI standard, BMC Client Management is capable of reporting the necessary information to uniquely identify assets based on known identifiers and/or known information about the target systems being assessed.

ARF

1.1

The Asset Reporting Format (ARF) is a format for expressing the transport format of information about assets and the relationships between assets and reports. ARF describes a data model for expressing information about assets and the relationships between assets and reports. The BMC Client Management ARF report will contain component results (XCCDF, check results), information about the target asset (utilizing the Asset Identification, or AI, data model as described above), and the SCAP source data stream collection.

CCE

5

BMC Client Management supports the Common Configuration Enumeration (CCE). XCCDF rules may reference one or more CCE identifiers. These identifiers can be visualized through the properties pop-up dedicated to the XCCDF rules details. This pop-up is available where XCCDF rules are enumerated, including the SCAP jobs results view which provides execution status for each XCCDF rule. To display this information, double-click the rule or click Edit > Properties . The displayed pop-up will include the list of CCE identifiers associated to the XCCDF rule, and may display additional information such as description, dates and NIST SP 800-53 compliance mappings. In order to get this additional information, the correct CCE lists must be imported in the product (see section Import CVE and CCE lists for more information). CCE is a nomenclature and dictionary of software security configurations.

CCSS

1.0

BMC Client Management supports the Common Configuration Scoring System (CCSS). CCSS is a system for measuring the relative severity of system security configuration issues. Whereas CVSS represents a scoring system for software flaw vulnerabilities, CCSS addresses software security configuration issue vulnerabilities . Per NIST SP800-126r2, CCSS data is not directly useful in the same way as CVSS data. CCSS data needs to be considered in the context of each organization's security policies and in the context of dependencies among vulnerabilities. BMC Client Management supports CCSS scores when those scores are used in the @weight attribute within XCCDF rules.

CPE

2.3

BMC Client Management supports the Common Platform Enumeration (CPE). The BMC Client Management SCAP engine implements the required CPE standards (Naming, Name Matching, Dictionary and Applicability Language) but does not natively contain CPE dictionaries. Instead, it makes use of CPE definitions included in SCAP source data streams CPE is an SCAP nomenclature and dictionary of hardware, operating systems, and applications. The SCAP source data stream that BMC Client Management uses for SCAP compliance scans must include CPE content. In the SCAP result data stream produced by BMC Client Management , when a rule applies to a specific hardware, operating system, or application, those objects are identified using CPE nomenclature. In the XML results file, to identify BMC Client Management as the benchmarking tool, the <TestResult> element sets the test-system attribute to cpe:/a:bmc:bca:12.0.0.

CVE

n/a

BMC Client Management supports the SCAP Common Vulnerabilities and Exposures (CVE) enumeration. XCCDF rules may reference one or more CVE identifiers. These identifiers can be visualized through the properties pop-up dedicated to the XCCDF rules details. This pop-up is available where XCCDF rules are enumerated, including the SCAP jobs results view which provides execution status for each XCCDF rule. To display this information, double-click the rule or click Edit > Properties . The displayed pop-up will include the list of CVE identifiers associated to the XCCDF rule, and may display additional information such as description, dates and references with links to security advisories. In order to get these additional information, the correct CVE lists must be imported in the product (see section Import CVE and CCE lists for more information). CVE is an SCAP nomenclature and dictionary of security-related software flaws and vulnerabilities.

CVSS

2.0

BMC Client Management supports the SCAP Common Vulnerabilities and Exposures (CVE) enumeration. The Common Vulnerability Scoring System (CVSS) is a system for measuring the relative severity of software flaw vulnerabilities. BMC Client Management displays the CVSS impact-metric value associated with a rule in the exported results file. CVSS is a SCAP specification that describes the characteristics and impacts of IT vulnerabilities. The SCAP source data stream that BMC Client Management uses for SCAP compliance scans can optionally include impact-metric values for rules. If a rule in the imported benchmark includes an impact-metric value, that value is included in the SCAP result data stream.

OVAL

5.10.1

BMC Client Management supports the Open Vulnerability and Assessment Language (OVAL). OVAL is an SCAP XML language for representing system configuration information, assessing computer state, and reporting assessment results. A proprietary OVAL interpreter based on the open-source OVAL Definition Interpreter (ovaldi) processes the OVAL tests. The OVAL interpreter is bundled with the BMC Client Management agent, a BMC Software component installed on every computer managed by BMC Client Management . OVAL content is imported into the BMC Client Management console as part of the SCAP data stream. OVAL content only with optional OVAL variables may also be supplied. OVAL is used to identify vulnerabilities and issues. Common examples of the use of OVAL files are:

  • the checking language referenced from a separate XCCDF file,
  • the checking language referenced from a checklist component of a SCAP source data stream,
  • the checking language referenced from a CPE dictionary component of SCAP source data streamThe OVAL component will contain the definitions, tests, and the state a target system is expected to exhibit. When BMC Client Management encounters a reference to an OVAL definition, it parses the specific OVAL components/files and uses those referenced definition identifiers to look up the appropriate tests to be executed. Each OVAL definition may be comprised of one-to-many OVAL tests; the results of which can be logically combined to enumerate an overall definition result. The BMC Client Management evaluation engine is the controller for parsing the required tests, collecting the appropriate system characteristics, evaluating the collected information against the expected state, and recording the success, failure, or any error conditions of a given test. BMC Client Management supports components specified using versions 5.3 to 5.10 of the OVAL language.

TMSAD

1.0

BMC Client Management can import SCAP content with Trust Model for Security Automation Data (TMSAD) signatures but will not verify them. The generated XML report will not include TMSAD signatures.

XCCDF

1.2

BMC Client Management supports the Extensible Configuration Checklist Description Format (XCCDF). XCCDF is a language for authoring security checklists/benchmarks and for reporting results of evaluating them.. The source data stream that BMC Client Management uses for SCAP compliance scans must be well-formed XCCDF. The result data stream that BMC Client Management produces is well-formed XCCDF. BMC Client Management 's capabilities include the ability to assess a target system based on rules defined using XCCDF, versions 1.1.4 and 1.2. XCCDF is used throughout BMC Client Management as the required XML schema for benchmarks, as well as the checklist definition schema within SCAP source data streams. This ensures that outside compliance benchmarks/data streams, such as those provided by the NIST National Checklist Program, Federal Desktop Core Configuration (FDCC), or the US Government Configuration Baseline (USGCB), can be used alongside custom or CIS benchmarks. The XCCDF format specifies the required tests for one or more profiles. At SCAP job configuration time, a user will be able to select any of the given profiles specified in a XCCDF, and BMC Client Management will assess the configuration rules included in the selected profile. With BMC Client Management , an evaluation check can be specified in two ways:

  • Through a separate Open Vulnerability Assessment Language (OVAL) file, or
  • Through a reference to OVAL definitions contained in the same SCAP data stream.The relevant descriptions, CCE ID's and other related artifacts entered in the XCCDF will be preserved and included in the XML and HTML results produced by a BMC Client Management assessment.

SCAP 1.0 and 1.1 Compatibility

BMC Client Management natively supports the older SCAP 1.1 and 1.0 specifications. It does this by detecting the version of OVAL or XCCDF specified in the content and then processing it based on the selected OVAL probes. The user does not need to do anything special; support is automatic.

SCAP 1.1 support includes:

  • The eXtensible Configuration Checklist Description Format (XCCDF), version 1.1.4
  • The Open Vulnerability and Assessment Language (OVAL), version 5.8
  • The Common Configuration Enumeration (CCE), version 5
  • The Common Platform Enumeration (CPE), version 2.2
  • The Common Vulnerabilities and Exposures (CVE)
  • The Common Vulnerability Scoring System (CVSS), version 2

SCAP 1.0 support includes:

  • The eXtensible Configuration Checklist Description Format (XCCDF), version 1.1.4
  • The Open Vulnerability and Assessment Language (OVAL), version 5.3 and 5.4
  • The Common Configuration Enumeration (CCE), version 5
  • The Common Platform Enumeration (CPE), version 2.2
  • The Common Vulnerabilities and Exposures (CVE)
  • The Common Vulnerability Scoring System (CVSS), version 2
Was this page helpful? Yes No Submitting... Thank you
Last modified by Mokshada Shivarekar on Jun 24, 2016

Comments

Log in or register to comment.

Capabilities and Platforms
Unsupported check systems handling
© Copyright 2013 - 2021 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.