File organization
The SCAP engine is a SCAP content consumer. Therefore, it processes SCAP 1.0, 1.1, 1.2 or 1.3 content and produces results files accordingly. During the scans, the engine generates different outputs such as log files, temporary files, and so on.
Each SCAP content is processed through a SCAP job. These jobs own a private identifier which at the same time defines a proprietary folder. The jobs folder is located in <agent_installation_dir>/data/ScapInventory/jobs. This folder, which is initially empty, will be populated with subfolders each time a new job is assigned to the device. Folders are recursively removed if the underlying SCAP jobs are unassigned.
The job subfolder is created when a new SCAP job is assigned to the device, and more precisely when the content to execute is delivered. The subfolder originally includes the scap.bin file, which is a ciphered version of the SCAP package to process. In other words, the SCAP content is delivered through a secured channel since the scap.bin file cannot be used except by the BMC SCAP engine. This secured content is created during the package import and cannot be altered during distribution. This is a guaranty offered to customers to control the SCAP data, from the package import (and optionally validation), to the package execution.
When the SCAP job schedule triggers execution, attached content is deciphered and extracted as package.zip file. This ZIP archive includes the real SCAP content. Note, that content can be either a single XML file (when processing SCAP 1.2 or 1.3 content) or may include several XML files. Thereafter, package.zip is inflated and content is extracted in the package subfolder. All of these operations are performed each time a scan must be executed. As a consequence, updating the package folder content between two runs is useless since the next execution will regenerate its content from the ciphered file.
The SCAP scan is executed, using the package folder content as input. It then generates different files:
mtxscap.log file | This log file includes details about the SCAP scan execution such as CPE evaluation, XCCDF profile operation and so forth. Note, that this log file is available from the console UI. |
xccdf-results.xml file | This XML file includes the XCCDF results. It is generated for any content unless errors occur. Note, that only XCCDF TestResult is provided and reference to the source XCCDF benchmark is registered. |
xccdf-summary.json file | This JSON file includes a subset of the XCCDF results. It has a proprietary format and is mainly used for updating the results in the console UI. |
arf-results. file | This XML file includes the ARF results. It is generated for SCAP 1.2 and 1.3 content only. |
ScapInventory.xml file | This XML file includes a subset of the XCCDF results. It has a proprietary format and is mainly used for updating the results in the console UI. |
temp folder
The temp folder is dedicated to the various OVAL evaluations. The SCAP and OVAL engines are wrapped by the mtxscap.exe (mtxscap for Linux and MacOS). As a consequence, the mtxscap.exe binary is executed several times at different stages of the scan, both in SCAP and OVA modes. These temporary folders are organized using two levels. The first-level defines a temporary folder for each OVAL definitions content while the second level defines a temporary folder for each mtxscap.exe execution in OVAL mode applied to the OVAL definitions content. Note, that OVAL definitions content can be either a file (SCAP 1.0 and 1.1) or a component (SCAP 1.2 and 1.3). The first temporary folder includes two static files which provide indication of the OVAL definitions content:
scap_file.txt file | This plain text file includes the path to the OVAL definitions file. This can be a dedicated OVAL file (for SCAP 1.0 and 1.1 content) or the data stream collection file (for SCAP 1.2 and 1.3 content). |
scap_component.txt file | This plain text file includes the component identifier used for retrieving the OVAL definitions content in the SCAP 1.2 or 1.3 data stream collection. This information is not used for SCAP 1.0 and 1.1 content, in which case the file remains empty. |
When mtxscap.exe is executed in OVAL mode, a dedicated temporary folder is created and assigned to the execution. These temporary folders are created inside the folder dedicated to the underlying OVAL content. For instance, if OVAL content references folder 01c276fecc79418a46978e86549539bb , then the first mtxscap.exe execution will be assigned to 01c276fecc79418a46978e86549539bb\1 , the second execution to 01c276fecc79418a46978e86549539bb\2 and so forth. These OVAL dedicated temporary subfolders may include different files:
mtxscap.log file | This file will include the detailed logs generated by mtxscap.exe in OVAL mode. |
oval_directives.xml file | This XML file includes the OVAL directives to be used during execution. These directives can be configured using the predefined values (full with system characteristics, full without system characteristics or thin) applied to the ScapInventory module. |
system-characteristics.xml file | This XML file includes the gathered system characteristics. Because we create a temporary folder each time mtxscap.exe is run in OVAL mode, the system characteristics files cannot be reused. Instead, the content is written once during the binary execution. |
oval_definitions.xml file | This XML file includes the list of OVAL definitions to evaluate. Note, that this file is optional in which case all of the OVAL definitions are processed. |
oval_variables.xml file | This XML file includes the OVAL external variables. Note, that this file is optional if no OVAL external variable is required for the mtxscap.exe execution in OVAL mode. |
oval_results.xml file | This XML file includes the final OVAL results which are then consumed by the SCAP engine. This result file content depends on oval_directives.xml , oval_definitions.xml and oval_variables.xml files. |