Validating a newly imported SCAP package

SCAP packages can be downloaded from various sources. In order to ensure they match the expected requirements, they can be validated. This process includes three different parts:

  1. All the XML files that belong to the package are parsed in sequence, with schemas verification enabled. Therefore, any problem concerning the XML files structure or organization as defined by the associated schemas will be detected. In case of parsing error, a popup message is displayed informing that the package parse has failed. You need to check the master log that provides details about the parsing or verification error.
    scap_error1.png
  2. The package content is validated using the SCAP Content Validation Tool. This performs the additional verifications using the SCAP Schematron rules associated with the content to verify. In case of an error, a popup message is displayed informing that the package validation failed.
    scap_error2.png
    The report generated by the SCAP Content Validation tool can be displayed using the See Details link. Notice that this type of report visualization might not provide the best user experience as the web browser may block content download for security reasons enforced by the BMC Client Management Web server (Content Security Policy). The validation reports are stored in the package folder <master_installation_folder>/data/Vision64Database/scap/packages/<package_id>/ValidationFiles/<verified_content_index>/scapvalResults.html and can be visualized from this location.

  3. The package digital signature is validated if required. This verification is only performed for signed content using the Apache Santuario open source library. In case of an error, a popup message is displayed informing that the package digital signature verification has failed. 

    scap_error3.png

    The error message popup contains the See Details link to download an XML report providing more details about the verified file and the certificate used to verify the digital signature. The verification reports are stored in the package folder <master_installation_folder>/data/Vision64Database/scap/packages/<package_id>/ValidationFiles/<verified_content_index>/scapsigResults.xml and can be visualized from this location.

    All the SCAP contents can be validated, except the SCAP 1.0 packages. SCAP 1.0 packages are parsed using step 1 above, but no additional verification is performed. In this case, a popup message is displayed saying the package version is not supported.

    scap_error4.png

    Notice that the SCAP content validation tool requires a use case to validate SCAP 1.1 packages. Therefore, the administrator is asked to select the desired use case when trying to validate SCAP 1.1 content. The following use cases are available:

    • CONFIGURATION
    • VULNERABILITY_XCCDF_OVAL
    • SYSTEM_INVENTORY
    • OVAL_ONLY

BMC Client Management supports SCAP packages of version 1.0, 1.1, 1.2, and 1.3, however, SCAP 1.0 packages cannot be validated but can still be executed by the BMC Client Management SCAP engine.

To verify an imported SCAP package proceed as follows:

  1. Select the package to verify in the table in the right window pane. 
  2. Click Edit > Validate SCAP Package activate.png.

If the verification is successful the Validation Succeeded window appears indicating that the package was successfully validated.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*