Vendor Provided Validation Details - BMC BladeLogic Client Automation

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of SCAP Implementation

The SCAP data stream is uploaded to The BMC BladeLogic Client Automation Version 8.1.00.001 SCAP Scanner includes an XCCDF checklist with one or more accompanying OVAL definition files. The stream also contains a CPE dictionary along with its OVAL definition. The BMC BladeLogic Client Automation Version 8.1.00.001 scanner first processes the CPE dictionary by evaluating its OVAL definition to determine the existence of the CPE names. Next, the platform specified in the XCCDF checklist is compared against the values from the CPE process. If the checklist is determined to be applicable for this platform, the accompanying OVAL files are processed by the OVAL interpreter. The XCCDF processor then evaluates the checklist rules by comparing the required states against the existing states. XCCDF scores, groups, and rules along with their CCE values are displayed in the BMC BladeLogic Client Automation Version 8.1.00.001 user interface as well as results\data directory

Statement of CVE Implementation

Common Vulnerabilities and Exposures (CVE) is a public dictionary of known security threats. The BMC BladeLogic Client Automation Version 8.1.00.001 SCAP scanner will output the applicable Common Vulnerabilities and Exposures (CVE) ID references in the output for every patch rule processed that contains a CVE? ID in the checklist definition in the SCAP data stream. The CVE information is stored in the patch result XML file generated by the scanner and is available in the agent's working directory for inspection and verification. Scan results are available in the scanners results\data directory.

Statement of CPE Implementation

CPE is a structured naming scheme for information technology systems, platforms, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name.

BMC BladeLogic Client Automation Version 8.1.00.001 SCAP Scanner implements the Common Platform Enumeration (CPE) standard. The SCAP data stream includes a dictionary that defines the CPEs relevant to the checklist and an OVAL definition file that defines how to test for each CPE. The two files combined allow the scanner to test for the presence of the checklist's target platform. If applicable, a configuration rule defines how to determine the value of each specified item of information in the checklist. If the check passes, then the value of the checked item is true, but if the check fails, then the value of the checked item is false. If the check cannot be completed or returns an error, then the value of the checked item is unknown.

Statement of CVSS Implementation

BMC BladeLogic Client Automation 8.1.00.001 SCAP Reporting Module allows you identify CVSS by displaying CVE?ID's for missing security patches or software vulnerabilities. BMC BladeLogic Client Automation 8.1.00.001 currently does store CVSS information. CVSS data is displayed in the reports page by obtaining the information from external vulnerability database. The scoring methods for these individual vulnerabilities are located on the NVD website http://nvd.nist.gov/download/nvdcve-2009.xml.

Statement of FDCC Implementation

The BMC BladeLogic Client Automation 8.1.00.001 FDCC scanner has the ability to audit and assess target machines for FDCC compliance. This agent based FDCC scanner does not require any setting changes to the current FDCC locked down configuration to scan and access the SCAP data stream. Scans are performed at a specified scan interval based on a schedule set by the administrator. Scan results are available in the scanners results\data directory; results are also uploaded to MSSQL or Oracle database for central reporting. Communication to the database can be configured to communicate to over a FIPS 140?2 compliant TLS tunnel.

Statement of CCE Implementation

CCE provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.

FDCC data stream optionally contain CCE data associated with rules. When this data is present in the SCAP data stream, the BMC BladeLogic Client Automation Version 8.1.00.001 SCAP scanner includes the CCE data in the result file. In addition, the CCE identifiers are displayed with the rule in the user interface. All failed rules can be downloaded from the product with CCE ID into a spreadsheet for assessment by clicking on the select failed machines in the reports page.

Statement of CVE Implementation

The BMC BladeLogic Client Automation Version 8.1.00.001 SCAP Scanner adheres to version 1.1.4 of the Extensible Configuration Checklist Description Format (XCCDF) standard. After specifying an SCAP data stream as input, the user selects checklists to test against clients. The BBCA SCAP Scanner uses XCCDF as the driver to determine the configuration elements to test. The desired configuration rules are then evaluated using an internal OVAL interpreter for assessment and the results for the target system are returned. The SCAP Scanner validates the XCCDF input files against the XCCDF schema and provides the relevant details if validation fails. Each check property defines a means to determine the value of a machine state during the evaluation of a checklist or benchmark. If the check passes, then the value of the machine state is true, but if the check fails, then the value of the machine state is false. If the check cannot be completed or returns an error, then the value of the machine state is unknown. Consistent with the Specification for the Extensible Configuration Checklist the BMC BladeLogic Client Automation Version 8.1.00.001 SCAP Scanner processes all rules in the benchmark except for rules where the ¡°selected¡± property is set to false. The results for these rules is not selected.¡± Properties that have a role of ¡°unchecked¡± return a result of ¡°unchecked.¡± The results from ¡°unchecked¡± or ¡°unselected¡± rules do not contribute to the benchmark score.

Statement of OVAL Implementation

The BMC BladeLogic Client Automation Version 8.1.00.001 SCAP Scanner uses an OVAL parser that adheres to version 5.3 and version 5.4 of the OVAL definition. The SCAP scanner loads the SCAP data stream, which includes an XCCDF document containing a collection of security configuration rules along with one or more OVAL definition files representing information for testing and analyzing the system for existing machine states. The OVAL interpreter processes each OVAL definition referenced by the selected XCCDF profile and retrieves the state information. The stream¡¯s XCCDF document is then processed by comparing the rule state values against the existing state values as reported by the OVAL interpreter. Results from these tests are stored on the local computer as well as uploaded to a central database.