SCAP content components

The following topics describe how the Security Content Automation Protocol (SCAP) content components are used in TrueSight Server Automation:

The XCCDF component

TrueSight Server Automation supports the Extensible Configuration Checklist Description Format (XCCDF).

XCCDF is an SCAP XML language for expressing security checklists. The source data stream that TrueSight Server Automation uses for SCAP compliance scans must be well-formed XCCDF. The result data stream that TrueSight Server Automation produces is well-formed XCCDF.

To prepare for SCAP scanning, an administrator assembles an SCAP source data stream, including XCCDF content, into a folder on a server that is accessible to TrueSight Server Automation. Well-formed XCCDF content from any source is acceptable. Using the TrueSight Server Automation console, the administrator navigates to the XCCDF file and imports all SCAP content for a benchmark in a single import action. The import process validates all content against appropriate schemas and schematrons. It captures validation errors in a log file which is accessible from the TrueSight Server Automation Console.

The imported data stream appears as an SCAP benchmark object in the TrueSight Server Automation console. Multiple SCAP benchmarks are permitted to accommodate usage of multiple XCCDF content sources and versions.

An SCAP Compliance Job produces an XCCDF results file compliant with the XCCDF specifications.

The OVAL component

TrueSight Server Automation supports the Open Vulnerability and Assessment Language (OVAL). OVAL is an SCAP XML language for representing system configuration information, assessing machine state, and reporting assessment results. The following OVAL versions are supported: 5.10.1, 5.11.1, and 5.11.2

A proprietary OVAL interpreter based on the open-source OVAL Definition Interpreter (ovaldi) processes the OVAL tests. The OVAL interpreter is bundled with the RSCD agent, a BMC component installed on every server managed by TrueSight Server Automation.

OVAL content is imported into the TrueSight Server Automation Console as part of the SCAP data stream. The import process validates the OVAL content against its schema and captures validation errors in a log file which is accessible from the TrueSight Server Automation Console.

To initiate an SCAP scan, administrators create an SCAP Compliance Job. On each target server selected in the job, an OVAL interpreter performs the vulnerability processing and creates an OVAL results file that is compliant with the OVAL results schema.

The process then synthesizes the results file into a small-sized file and sends it to the Application Server. The Application Server creates the XCCDF results file from the collected results. By default, the process deletes the OVAL result files from each target server; however, administrators can configure the SCAP Compliance Jobs to retain those files.

Users can view the XCCDF results in the TrueSight Server Automation Console. They can also export results from the Console to an XML file. The export includes a .xslt file which enables a fully formatted view of the results in a web browser. In the browser-displayed report, users can click a specific Benchmark rule to view details about the rule, including OVAL IDs associated with the rule. Each listed OVAL ID is an active link to the specific web page about that test on http://oval.mitre.org.

For a list of probes supported by ovaldi, see the Probes supported by OVAL Definition Interpreter (ovaldi).

Probes supported by OVAL Definition Interpreter (ovaldi)

The following probes are supported by different Ovaldi versions:

  • Probes supported by ovaldi version 5.11.2

    Independent probes

    • FamilyProbe
    • FileHash58Probe
    • LDAPProbe
    • TextFileContent54Probe
    • VariableProbe
    • XmlFileContentProbe

    Linux probes

    • Apparmorstatus
    • IfListenersProbe
    • InetListeningServersProbe
    • PartitionProbe
    • RPMInfoProbe
    • RPMVerifyFileProbe
    • SeLinuxBooleanProbe
    • SeLinuxSecurityContextProbe
    • SysctlProbe
    • SystemUnitDependencyProbe
    • SystemUnitPropertyProbe

    Solaris probes

    • IsainfoProbe
    • Patch54Probe

    HP-UX probes

    • Getconf
    • Ndd
    • Patch53
    • Process58
    • Swlist
    • Trusted

    UNIX probes

    • FileProbe
    • InetdProbe
    • InterfaceProbe
    • PasswordProbe
    • Process58Probe
    • RunLevelProbe
    • ShadowProbe
    • SymlinkProbe
    • UnameProbe
    • XinetdProbe

    AIX probes

    • interim_fix_test
    • fileset_test
    • fix_test
    • no_test
    • oslevel_test

    Windows probes

    • JunctionProbe
    • ActiveDirectoryProbe
    • AuditEventPolicyProbe
    • AuditEventPolicySubcategoriesProbe
    • DNSCacheProbe
    • FileAuditedPermissions53Probe
    • FileEffectiveRights53Probe
    • FileProbe
    • GroupSidProbe
    • InterfaceProbe
    • LockoutPolicyProbe
    • MetabaseProbe
    • PasswordPolicyProbe
    • PortProbe
    • PrinterEffectiveRightsProbe
    • Process58Probe
    • RegistryProbe
    • RegKeyAuditedPermissions53Probe
    • RegKeyEffectiveRights53Probe
    • ServiceEffectiveRightsProbe
    • SharedResourceProbe
    • SidProbe
    • SidSidProbe
    • UserSid55Probe
    • VolumeProbe
    • WMI57Probe
    • WUAUpdateSearcherProbe
  • Probes supported by ovaldi version 5.10.1 and 5.11.1

    Independent probes

    • EnvironmentVariableProbe
    • FamilyProbe
    • FileHash58Probe
    • FileHashProbe
    • FileMd5Probe
    • LDAPProbe
    • TextFileContent54Probe
    • TextFileContentProbe
    • VariableProbe
    • XmlFileContentProbe

    Linux probes

    • IfListenersProbe
    • InetListeningServersProbe
    • PartitionProbe
    • RPMInfoProbe
    • RPMVerifyFileProbe
    • SysctlProbe 

    Solaris probes

    • IsainfoProbe
    • Patch54Probe

    HP-UX probes

    • Getconf
    • Ndd
    • Patch53
    • Process58
    • Swlist
    • Trusted

    UNIX probes

    • FileProbe
    • InetdProbe
    • InterfaceProbe
    • PasswordProbe
    • Process58Probe
    • ProcessProbe
    • RunLevelProbe
    • ShadowProbe
    • UnameProbe
    • XinetdProbe

    AIX probes

    • interim_fix_test
    • fileset_test
    • fix_test
    • no_test
    • oslevel_test

    Windows probes

    • AbsEffectiveRightsProbe
    • AccessTokenProbe
    • ActiveDirectoryProbe
    • AuditEventPolicyProbe
    • AuditEventPolicySubcategoriesProbe
    • DNSCacheProbe
    • FileAuditedPermissions53Probe
    • FileAuditedPermissionsProbe
    • FileEffectiveRights53Probe
    • FileEffectiveRightsProbe
    • FileProbe
    • GroupProbe
    • GroupSidProbe
    • InterfaceProbe
    • LockoutPolicyProbe
    • MetabaseProbe
    • PasswordPolicyProbe
    • PortProbe
    • PrinterEffectiveRightsProbe
    • Process58Probe
    • ProcessProbe
    • RegistryProbe
    • RegKeyAuditedPermissions53Probe
    • RegKeyAuditedPermissionsProbe
    • RegKeyEffectiveRights53Probe
    • RegKeyEffectiveRightsProbe
    • ServiceEffectiveRightsProbe
    • SharedResourceProbe
    • SidProbe
    • SidSidProbe
    • UserProbe
    • UserSid55Probe
    • UserSidProbe
    • VolumeProbe
    • WMI57Probe
    • WMIProbe
    • WUAUpdateSearcherProbe

The CPE component

TrueSight Server Automation supports the Common Platform Enumeration (CPE).

CPE is an SCAP nomenclature and dictionary of hardware, operating systems, and applications. The SCAP source data stream that TrueSight Server Automation uses for SCAP compliance scans must include CPE content. In the SCAP result data stream produced by TrueSight Server Automation, when a rule applies to a specific hardware, operating system, or application, those objects are identified using CPE nomenclature.

To view those results, from the GUI console, users export the XCCDF results to an XML file. The export includes a .xslt file that enables a fully formatted view of the results in a web browser. In the browser-displayed report, users can click a rule to display details about that rule, including CPE nomenclature attached to the rule. The report shows the entire cpe string; for example: cpe:/a:microsoft:msn_messenger_service:6.2.

In the XML results file, to identify TrueSight Server Automation as the benchmarking tool, the <TestResult> element sets the test-system attribute to cpe:/bmc:bsa:server:automation.

Note

The CPE element cpe:fact-ref in SCAP 1.2 is not supported by the SCAP Compliance Job and is ignored.

The CCE component

TrueSight Server Automation supports the SCAP Common Configuration Enumeration (CCE).

CCE is an SCAP nomenclature and dictionary of software security configurations. The SCAP source data stream that TrueSight Server Automation uses for SCAP compliance scans should include CCE content. The XCCDF result data stream includes CCE IDs.

TrueSight Server Automation provides drill-down features for researching rule noncompliance on each target server. To implement those features, from the GUI console, users export the XCCDF results to an XML file. The export includes a .xslt file that enables a fully formatted view of the results in a web browser. In the browser-displayed report, users can expand the results for a specific target server, find failed rules, and click a rule to see details about it, including a list of CCE IDs associated with the rule. Using the CCE IDs, the user can research commonly accepted configurations that pass the rule. The CCE IDs in the report are links to http://cce.mitre.org, where users can obtain the most recent CCE lists.

The CVE component

TrueSight Server Automation supports the SCAP Common Vulnerabilities and Exposures (CVE) enumeration.

CVE is an SCAP nomenclature and dictionary of security-related software flaws and vulnerabilities. The SCAP source data stream that TrueSight Server Automation uses for SCAP compliance scans should include CVE IDs. The SCAP result data stream includes CVE IDs.

TrueSight Server Automation provides drill-down features for researching vulnerabilities associated with each rule, on each target server. To implement those features, from the GUI console, users export the XCCDF results to an XML file. The export includes a .xslt file that enables a fully formatted view of the results in a web browser. In the browser-displayed report, users can click a specific Benchmark rule to view details about the rule, including a list of CVE IDs associated with the rule. Each listed CVE ID is an active link to the specific web page about that CVE ID on http://cve.mitre.org. The web pages display the CVE description and links to technical references.

The CVSS component

TrueSight Server Automation displays the Common Vulnerability Scoring System (CVSS) impact-metric value associated with a rule in the exported results file.

CVSS is an SCAP specification that describes the characteristics and impacts of IT vulnerabilities. The SCAP source data stream that TrueSight Server Automation uses for SCAP compliance scans can optionally include impact-metric values for rules. If a rule in the imported benchmark includes an impact-metric value, that value is included in the SCAP result data stream.

To view the impact-metric value associated with a rule, users perform the export function from the GUI console, exporting the XCCDF results to an XML file. The export includes a .xslt file that enables a fully formatted view of the results in a web browser. In the browser-displayed report, users can click a specific Benchmark rule to view details about the rule, including the CVSS impact-metric value assigned to the rule by the Benchmark author. If a rule does not have an impact-metric value assigned to it, then the CVSS field in the report is blank.

The tailoring file

TrueSight Server Automation supports the import of SCAP 1.3 and 1.2 content that contains tailoring files.

A tailoring file helps you customize profiles in an XCCDF file. The tailoring file contains tailored profiles that can be applied to an SCAP Benchmark. You can import a tailoring file, so that its tailored profiles are available for association with any SCAP Compliance Job that you want to execute.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*