Overview of SCAP compliance
This topic includes:
About SCAP compliance in BCM
BMC Client Management is a certified USGCB and FDCC scanner.
- It can provide compliance assessment against all security checklists in USGCB and FDCC.
- Assessments can be done at a group or device level and details can be provided so remediation actions are obvious to understand.
- Reports can be generated to show the compliance or non-compliance of devices, as well as show the reason for non-compliance.
BMC Client Management enables the desktop administrator to review the output of specific SCAP jobs that were automatically performed. It provides different views, from a high-level dashboard with results for all security checklists (SCAP packages) to results for an individual device, or results for a whole package or a specific check (rule). For a particular rule, the administrator can get a full description, including details, fix details, links available in the checklist, and so on. This enables the administrator to prove to an auditor that the rules are correctly performed by showing the history of compliance and remediation for a given device. It also provides the reason why a device is or is not compliant with a rule (that means, the value that was found at scan, on what date, using what version, and so on).
SCAP compliance enables the BMC Client Management administrator to select the security checklists to scan the environment. It enables the administrator to scan groups of computers with the correct checklists and to schedule these scans as required. BMC Client Management SCAP compliance enables the administrator to import new and updated security checklists when they become available, and to delete old checklists that are not used anymore or for which compliance history is no longer needed. The integrated reporting feature enables you to create and configure reports with various levels of details depending on the target audience, such as a desktop administrator or a manager.
The SCAP data enables the administrator to make a decision, on what changes are needed to make the computers compliant again, whether via BMC Client Management or another solution. It also enables the administrator to test that the applied fixes actually fix the targeted compliance issues, for example by triggering a rescan of the target computer. SCAP compliance in BMC Client Management also enables the administrator to roll out the changes to all affected devices and measure the progress in reaching compliance, for example by newly scanning the fixed hosts. If the fix can be done using BMC Client Management, the administrator can create an automated remediation rule that dynamically applies to all affected devices.
The reporting feature, integrated with SCAP compliance enables the administrator to expose the findings to management, to allow them to check the compliance status. Whenever a computer becomes non-compliant (which could be caused by a SCAP template update, or because the computer settings have changed), the administrator is notified proactively.
BMC Client Management SCAP compliance enables managers to review reports of the current situation for the different security checklists that must be applied as well as to review the compliance status history for a given checklist.
The BMC Client Management implementation includes the following components:
- Extensible Configuration Checklist Description Format (XCCDF)
The XCCDF is an XML specification for structured collections of security configuration rules used by OS and application platforms. It specifies security checklists, benchmarks and configuration documentation. This file defines the rules to which all devices in the network must comply and against which they are checked. This is the benchmark.
- Open Vulnerability and Assessment Language (OVAL)
The OVAL is an XML specification for exchanging technical details on how to check systems for security-related software flaws. It is used to encode and transmit security information and system details. This is the actual execution of the compliance tests.
- Asset Reporting Format (ARF)
ARF is an open specification that provides a structured language for exchanging per-device assessment results data between assessment tools, asset databases, and other products that manage asset information.
- Asset Identification
One of the primary requirements for performing asset management is the ability to identify assets based on some set of data known about them. Asset identification, the use of attributes and methods to uniquely identify an asset, allows for correlation of data across multiple sources, reporting of asset information across different organizations and databases, targeted actions against specific assets, and usage of asset data in other business processes.
- Common Platform Enumeration (CPE)
The CPE is a naming convention for hardware, OS and application products present among an enterprise's assets. For identifying these assets, the CPE system also uses identifiers. The identification process then triggers IT management tools to make fully or partially automated decisions regarding the assets. This defines what is applicable to what, that is, which rule is for which OS or application, and so on.
- Common Configuration Enumeration (CCE)
These lists provide unique identifiers to security-related system configuration issues in order to improve workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and tools.
- Common Vulnerabilities and Exposures (CVE ®)
This is a dictionary of common names (that is, CVE Identifiers) for publicly known information security vulnerabilities. CVE is now the industry standard for vulnerability and exposure names. CVE Identifiers provide reference points for data exchange so that information security products and services can speak with each other.
- Common Vulnerability Scoring System (CVSS)
CVSS is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability.
- Common Configuration Scoring System (CCSS)
This is a system for measuring the relative severity of system security configuration issues. BMC Client Management supports CCSS scores when that score is used in the @weight attribute within XCCDF rules.
- Trust Model for Security Automation Data (TMSAD)
This is a specification for using digital signatures in a common trust model applied to other security automation specifications. BMC Client Management can import SCAP content with Trust Model for Security Automation Data (TMSAD) signatures but does not verify them. The generated XML report does not include TMSAD signatures.
Common use cases of SCAP
- Security configuration verification
- Comparing settings in a checklist to a system's actual configuration
- Verifying configuration before deployment, auditing/assessing/monitoring operational systems.
- Mapping individual settings to high-level requirements
- Verifying patch installation and identifying missing patches
- Checking systems for signs of compromise
- Known characteristics of attacks
SCAP compliance as well as the custom compliance are both part of the compliance license.
To be able to remedy some of the discovered compliance faults you most probably also need the patch license.
Compliance capabilities and access rights
To be able to work with SCAP compliance and its remediation, an administrator needs specific capabilities and access rights for the different objects involved with compliance.
- The capability Compliance Management - View is required to access the compliance feature.
- The capability Compliance Management - Manage is required to to import/remove checklists, to create/delete SCAP jobs and to add/remove checklists to/from SCAP jobs.
- The capability Compliance Management - Assign is required to assign/unassign devices/device groups/reports to a SCAP job.
- The capability Compliance Management - Schedule is required to schedule the actual execution of a SCAP job.
If you also have the patch license for remedying vulnerabilities you need the patch capabilities as well. These are detailed in the patch manual.