SCAP features

TrueSight Server Automation supports compliance analysis for Security Content Automation Protocol (SCAP) versions 1.0, 1.2, and 1.3 as defined in Technical Specification for the Security Content Automation Protocol (NIST special publication 800-126 for SCAP version 1.0, NIST special publication 800-126 Revision 2 for SCAP version 1.2, and NIST special publication 800-126 Revision 3 for SCAP version 1.3).

Using features in the TrueSight Server Automation console, you import SCAP content from third-party sources. SCAP content is imported in one of the following formats:

  • SCAP 1.3: An SCAP source data stream collection, which is composed of SCAP data streams and SCAP source components. The data streams contain SCAP benchmarks.
  • SCAP 1.2: An SCAP source data stream collection, which is composed of SCAP data streams and SCAP source components. The data streams contain SCAP benchmarks.
  • SCAP 1.0: An SCAP benchmark

An SCAP benchmark is an organized collection of the following SCAP components: security checklists in Extensible Configuration Checklist Description Format (XCCDF), configuration assessments in Open Vulnerability and Assessment Language (OVAL), platform-specific content in a Common Platform Enumeration dictionary (cpe-dictionary) file, and, optionally, a patches file.

A benchmark can optionally define profiles, which are variations of rules for different classes of servers. For example, an SCAP benchmark might include three profiles: one for production servers, one for development servers, and one for testing servers. Password integrity rules in the benchmark might have different tests for each of the profiles. The production profile might require passwords that are 8 characters in length and change every 3 months; whereas the testing profile might allow 4-character passwords and not test for the frequency of changes.

Validation against the SCAP schemas occurs during the import. An imported benchmark is a well-formed XCCDF expressed data stream. You can import multiple SCAP benchmarks.

After importing the SCAP content, you create, run, and manage SCAP Compliance Jobs. Each job selects an SCAP benchmark, profiles within the benchmark, and target servers. SCAP Compliance Jobs are fully integrated into the TrueSight Server Automation product and include all standard Job features of the product, such as server smart groups to automatically collect target servers based on rules; GUI-based Job editing; automatically recurring job scheduling; automated email notifications and SNMP traps to report job results; and role-based access control (RBAC) on all activities.

OVAL checks are processed on the target servers. Their results are used by TrueSight Server Automation in forming the final XCCDF results. The TrueSight Server Automation console shows the result state for each rule. Results are organized in two views: one view shows results by target server and another view shows results for each rule across all servers. Rule results can be one of nine values, including Pass, Fail, Error, and Unknown.

You can export the results to an XML file compliant with the XCCDF specification. The exported file is accompanied by an XSLT file, enabling you to view the contents in a human readable format using a web browser.

The exported results include active links to full descriptions for all referenced Common Platform Enumeration (CPE) IDs, Common Configuration Enumeration (CCE) IDs and Common Vulnerabilities and Exposures (CVE) IDs. Results also include severity indications using the Common Vulnerability Scoring System (CVSS) specification, if applicable to the benchmark.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*