Overview of SCAP features

 

The SCAP features in BMC Server Automation comply with the Technical Specification for the Security Content Automation Protocol (SCAP): Version 1.0.

Using features in the BMC Server Automation Console, you import SCAP content from third-party sources.

The imported content, known collectively as an SCAP Benchmark, is an organized collection of the following SCAP components: security checklists in Extensible Configuration Checklist Description Format (XCCDF), configuration assessments in Open Vulnerability and Assessment Language (OVAL), platform-specific content in a Common Platform Enumeration dictionary (cpe-dictionary) file, and, optionally, a patches file.

Validation against the SCAP schemas occurs during the import. An imported benchmark is a well-formed XCCDF expressed data stream. You can import multiple SCAP Benchmarks.

After importing the SCAP Benchmarks, you create, run, and manage SCAP Compliance Jobs. Each job selects an SCAP Benchmark, profiles within the benchmark, and target servers. SCAP Compliance Jobs are fully integrated into the BMC Server Automation product and include all standard Job features of the product, such as server smart groups to automatically collect target servers based on rules; GUI-based Job editing;  automatically recurring job scheduling; automated email notifications and SNMP traps to report job results; and role-based access control (RBAC) on all activities.

OVAL checks are processed on the target servers. Their results are used by BMC Server Automation in forming the final XCCDF results. The BMC Server Automation Console shows the result state for each rule. Results are organized in two views: one view shows results by target server and another view shows results for each rule across all servers. Rule results can be one of nine values, including Pass, Fail, Error, and Unknown.

You can export the results to an XML file compliant with the XCCDF specification. The exported file is accompanied by an XSLT file, enabling you to view the contents in a human readable format using a web browser.

The exported results include active links to full descriptions for all referenced Common Platform Enumeration (CPE) IDs, Common Configuration Enumeration (CCE) IDs and Common Vulnerabilities and Exposures (CVE) IDs. Results also include severity indications using the Common Vulnerability Scoring System (CVSS) specification, if applicable to the benchmark.

 

The CCE component

 

BMC Server Automation supports the SCAP Common Configuration Enumeration (CCE).

CCE is an SCAP nomenclature and dictionary of software security configurations. The SCAP source data stream that BMC Server Automation uses for SCAP compliance scans should include CCE content. The XCCDF result data stream includes CCE IDs.

BMC Server Automation provides drill-down features for researching rule noncompliance on each target server. To implement those features, from the GUI console, users export the XCCDF results to an XML file. The export includes a .xslt file that enables a fully formatted view of the results in a web browser. In the browser displayed report, users can expand the results for a specific target server, find failed rules, and click a rule to see details about it, including a list of CCE IDs associated with the rule. Using the CCE IDs, the user can research commonly accepted configurations that pass the rule. The CCE IDs in the report are links to http://cce.mitre.org, where users can obtain the most recent CCE lists.

 

The CPE component

 

BMC Server Automation supports the Common Platform Enumeration (CPE).

CPE is an SCAP nomenclature and dictionary of hardware, operating systems, and applications. The SCAP source data stream that BMC Server Automation uses for SCAP compliance scans must include CPE content. In the SCAP result data stream produced by BMC Server Automation, when a rule applies to a specific hardware, operating system, or application, those objects are identified using CPE nomenclature.

To view those results, from the GUI console, users export the XCCDF results to an XML file. The export includes a .xslt file that enables a fully formatted view of the results in a web browser. In the browser-displayed report, users can click a rule to display details about that rule, including CPE nomenclature attached to the rule. The report shows the entire cpe string; for example: cpe:/a:microsoft:msn_messenger_service:6.2.

In the XML results file, to identify BMC Server Automation as the benchmarking tool, the <TestResult> element sets the test-system attribute to cpe:/bmc:bsa:server:automation.

 

The CVSS component

 

BMC Server Automation displays the Common Vulnerability Scoring System (CVSS) impact-metric value associated with a rule in the exported results file. CVSS is an SCAP specification that describes the characteristics and impacts of IT vulnerabilities. The SCAP source data stream that BMC Server Automation uses for SCAP compliance scans can optionally include impact-metric values for rules. If a rule in the imported benchmark includes an impact-metric value, that value is included in the SCAP result data stream.

To view the impact-metric value associated with a rule, users perform the export function from the GUI console, exporting the XCCDF results to an XML file. The export includes a .xslt file that enables a fully formatted view of the results in a web browser. In the browser-displayed report, users can click a specific Benchmark rule to view details about the rule, including the CVSS impact-metric value assigned to the rule by the Benchmark author. If a rule does not have an impact-metric value assigned to it, then the CVSS field in the report is blank.

 

The XCCDF component

 

BMC Server Automation supports the Extensible Configuration Checklist Description Format (XCCDF).

XCCDF is an SCAP XML language for expressing security checklists. The source data stream that BMC Server Automation uses for SCAP compliance scans must be well-formed XCCDF. The result data stream that BMC Server Automation produces is well-formed XCCDF.

To prepare for SCAP scanning, an administrator assembles an SCAP source data stream, including XCCDF content, into a folder on a server that is accessible to BMC Server Automation. Well-formed XCCDF content from any source is acceptable. Using the BMC Server Automation Console, the administrator navigates to the XCCDF file and imports all SCAP content for a benchmark in a single import action. The import process validates all content against appropriate schemas and schematrons. It captures validation errors in a log file which is accessible from the BMC Server Automation Console.

The imported data stream appears as an SCAP Benchmark object in the BMC Server Automation Console. Multiple SCAP Benchmarks are permitted to accommodate usage of multiple XCCDF content sources and versions.

An SCAP Compliance Job produces an XCCDF results file compliant with the XCCDF specifications.

 

The OVAL component

 

BMC Server Automation supports the Open Vulnerability and Assessment Language (OVAL).

OVAL is an SCAP XML language for representing system configuration information, assessing machine state, and reporting assessment results. BMC Server Automation version 8.2 supports schemas for OVAL version 5.9 and earlier.

A proprietary OVAL interpreter based on the open-source OVAL Definition Interpreter (ovaldi) processes the OVAL tests. The OVAL interpreter is bundled with the RSCD agent, a BMC Software component installed on every server managed by BMC Server Automation.

OVAL content is imported into the BMC Server Automation Console as part of the SCAP data stream. The import process validates the OVAL content against its schema and captures validation errors in a log file which is accessible from the BMC Server Automation Console.

To initiate an SCAP scan, administrators create an SCAP Compliance Job. On each target server selected in the job, an OVAL interpreter performs the vulnerability processing and creates an OVAL results file that is compliant with the OVAL results schema.

The process then synthesizes the results file into a small-sized file and sends it to the BMC Server Automation Application Server. The Application Server creates the XCCDF results file from the collected results. By default, the process deletes the OVAL result files from each target server; however, administrators can configure the SCAP Compliance Jobs to retain those files.

Users can view the XCCDF results in the BMC Server Automation Console. They can also export results from the Console to an XML file. The export includes a .xslt file which enables a fully formatted view of the results in a web browser. In the browser displayed report, users can click a specific Benchmark rule to view details about the rule, including OVAL IDs associated with the rule. Each listed OVAL ID is an active link to the specific web page about that test on http://oval.mitre.org.

 

The CVE component

 

BMC Server Automation supports the SCAP Common Vulnerabilities and Exposures (CVE) enumeration.

CVE is an SCAP nomenclature and dictionary of security-related software flaws and vulnerabilities. The SCAP source data stream that BMC Server Automation uses for SCAP compliance scans should include CVE IDs. The SCAP result data stream includes CVE IDs.

BMC Server Automation provides drill-down features for researching vulnerabilities associated with each rule, on each target server. To implement those features, from the GUI console, users export the XCCDF results to an XML file. The export includes a .xslt file that enables a fully formatted view of the results in a web browser. In the browser-displayed report, users can click a specific Benchmark rule to view details about the rule, including a list of CVE IDs associated with the rule. Each listed CVE ID is an active link to the specific web page about that CVE ID on http:// cve.mitre.org. The web pages display the CVE description and links to technical references.