SCAP Implementation Statement

The SCAP features in BMC Client Management comply with the Technical Specification for the Security Content Automation Protocol (SCAP): Version 1.3.

Using features in the BMC Client Management console, you import SCAP content from third-party sources, such as the NIST NVD National Checklist Program repository.

The imported content, known collectively as a SCAP Benchmark, is an organized collection of the following SCAP components: security checklists in Extensible Configuration Checklist Description Format (XCCDF), configuration assessments in Open Vulnerability and Assessment Language (OVAL) and platform-specific content in a Common Platform Enumeration dictionary (cpe-dictionary) file. Starting from SCAP 1.2, the DS or data stream collection format is an additional XML file format used for expressing the SCAP Benchmark. Key goals are to group all the other files together and to provide catalog capabilities so each component can reference the others.

Verification of the XML structure and validation against the SCAP schemas occurs during the import. The package validation also enforces XML structure verification and validation against schemas. Besides, the validation operation verifies the package against SCAP Schematrons and process to the digital signature verification in case of signed content. You can import multiple SCAP Benchmarks, named SCAP packages, in the BMC Client Management console.

After importing the SCAP contents, you create, run, and manage SCAP Compliance Jobs. Each job selects a data stream in the collection, an XCCDF checklist in the data stream and, optionally, an XCCDF profile in the checklist and targets (devices or device groups or both). Both data stream and data stream collection are new concepts in SCAP 1.2. BMC Client Management creates a data stream and a data stream collection when processing SCAP 1.0/1.1. Therefore, users can still manage these entities whatever the underlying SCAP content version. SCAP compliance jobs are fully integrated into the BMC Client Management product and include all standard job features of the product, such as dynamic groups to automatically collect target devices based on rules; GUI-based job editing; automatically recurring job scheduling; automated email notifications and events to report job results; and role-based access control (RBAC) on all activities.

OVAL checks are processed on the targets. Their results are used by BMC Client Management in forming the final ARF and XCCDF results (ARF for SCAP 1.2 and 1.3 only, XCCDF for all versions). The BMC Client Management console shows the result state for each rule. Results are organized in several views:

  • a dashboard providing an overview of the rule results
  • one view shows results by target
  • another view shows results for each rule across all targets
  • a report showing the results in a browser in HTML format

Rule results can be one of nine values, including Pass, Fail, Error, and Unknown.

Results are generated as XML files that are compliant with both the SCAP (for ARF) and XCCDF specifications. An HTML report is automatically generated by applying an XSLT file to the XCCDF report. All of these files can be either downloaded (XML) or visualized using a Web browser (HTML).

The following topics are provided:

Was this page helpful? Yes No Submitting... Thank you