Vendor Provided Validation Details - CIS-CAT v2.2.0

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. 


Statement of SCAP Implementation

The Center for Internet Security Configuration Assessment Tool is built to support both the consensus security configuration benchmarks distributed by The Center for Internet Security and the configuration content distributed by NIST under the Security Content Automation Protocol (SCAP) program, a U.S. government multi-agency initiative to enable automation and standardization of technical security operations. Currently, XML provided by CIS is only available to CIS members. CIS-CAT reads system configuration guidance documents written in eXtensible Configuration Checklist Description Format (XCCDF) and Open Vulnerability and Assessment Language (OVAL), processes the contents, and outputs system compliance reports in HTML, text, and XML formats. The output XML is well-formed and valid XCCDF result documents containing SCAP compliance information suitable for submission to NIST, as well as additional detailed information useful for inspecting low-level evaluation check outcomes. The HTML output report contains a summary table listing the compliance status of each item, a numeric compliance score for each item and section, and a detailed report on each compliance item, including in most cases, the desired settings and the setting found on the system. The text report contains the benchmark item number, pass/fail results status, and the title of each item.


Statement of CVE Implementation  

CIS-CAT supports the Common Vulnerability and Exposures(CVE) standard.  CVE allows users of CIS-CAT to identify known security vulnerabilities and exposures.  CVEs are typically used when doing scans and tests to check for certain software patches and potentially configuration issues.  CIS-CAT assumes that a CVE will be defined in the metadata section of a definition, the CVE should be defined with a reference node and a source attribute of ¡°CVE¡±.  When a CVE is found it an attribute named ¡°CVE¡± is placed into the result XML file in the ¡°and¡± or ¡°or¡± nodes of the result the value of this attribute is the CVE-IDs themselves.  There can be one or multiple CVE-IDs in this attribute that is because one software patch or issue can have multiple CVE-IDs associated with them.  When there is multiple CVE-IDs they will be separated by a space.  To view the CVE-IDs when displaying the HTML files click on ¡°View Rule Result XML¡± and search for ¡°CVE¡± or when viewing the XML file just search for ¡°CVE=¡±.  More information can be found via the ¡°CVE_URLS¡± attribute that contains the URL for each CVE to get the detailed information. 


Statement of CCE Implementation  

The Center for Internet Security Configuration Assessment Tool supports the use of the Common Configuration Enumeration (CCE). CCE identifiers uniquely distinguish entries within a dictionary of security-related software (mis-)configuration issues. XCCDF benchmark documents may contain CCE references, and such references will be manifest in output reports with the associated benchmark item as links to the National Vulnerability Database (NVD) CCE database, providing a convenient path to detailed information regarding a CCE-identified configuration issue. CCEs are useful in a number of ways. The can be used as a key to refer to the same configuration recommendation, regardless of its context or the tool used for processing. While minor differences in may be necessary depending on the context, it is useful to keep track of the underlying configuration recommendation that is being processed by use of this common configuration identifier for comparing system configurations across multiple systems; for reporting purposes; and for organizing security configuration guidance in a structured manner for efficient data management.


Statement of CPE Implementation 

CIS-CAT supports the Common Platform Enumeration(CPE) standard.  CPE is a structured naming scheme for information technology systems, platforms and applications that is similar to a URI.  The advantage of using CPE is that it provides a standard naming convention for Operating Systems and other applications.  CIS-CAT currently only implements CPEs for Operating Systems and not applications as well.  CIS-CAT supports the following operating systems when generating a CPE: AIX, FreeBSD, HP-UX, Irix, Linux, Mac OS, Mac OS X, OS/390, Solaris, SunOS and Windows.  When CIS-CAT runs it does not check by default if the benchmark was written for a given Operating System, however, it will include the name of the operating system and the CPE in the XML and HTML scanning results output.  For the HTML version of the output it is the title attribute in the HTML tag that holds the operating system name.  In the XML output the CPE is contained in the platform tag. 


Statement of CVSS Implementation  

The Center for Internet Security Configuration Assessment Tool provides support for the Common Vulnerability Scoring System (CVSS). CIS-CAT supports a number of scoring mechanisms, including the Common Vulnerability Scoring System (CVSS). CVSS is an industry standard for assessing the weight, or severity, of system security vulnerabilities relative to other vulnerabilities. It is a means by which to establish a numeric value to a security vulnerability, so that organizations can measure overall risk to its systems, and to prioritize the correction of system vulnerabilities. The score is based on a series of vulnerability attributes including: if the vulnerability can be exploited remotely; the complexity necessary for a successful attack; if authentication is first necessary for a given exploit; if the vulnerability could lead to unauthorized access to confidential data; whether or not system integrity could be damaged via a given vulnerability; and whether or not system availability could be reduced via the vulnerability. CVSS is an evolving standard.


Statement of OVAL Implementation 

OVAL is used to identify common vulnerabilities and issues.  A common example of a OVAL file is the FDCC benchmark files.  CIS-CAT will usually consume an OVAL file as a reference from an XCCDF file.  The OVAL file will contain the definition of the tests and expected results from those tests.  When CIS-CAT encounters an OVAL file we parse through the file that referenced a specific OVAL file and use the OVAL reference identifiers to look-up the test definition.  Usually within each referenced test definition there will be more sub-tests to run which will be individually parsed by CIS-CAT.  For each sub-test the result is record and a pass or fail is recorded. If all tests pass then the main test is considered to have a successful result.  When handling an OVAL file we interpret a given test into the actual system test we must perform.  The main driver for this is evaluate.xsl, inside of evaluate.xsl it will handle kicking off the required tests, evaluating the results against the expected results and recorded the success or failure of a given test.  If a given OVAL file is referenced from the main benchmark validation will be attempted, if there are any issues the information will be sent to the command prompt for users to view.  However, we will still attempt to use the OVAL file to scan the system. 


Statement of XCCDF Implementation  

CIS-Cat uses the eXtensible Configuration Checklist Description Format (XCCDF) version 1.1 specification.  XCCDF is used throughout CIS-CAT as the required XML schema for benchmarks.  This ensures that outside compliance benchmarks like NIST¡¯s Federal Desktop Core Configuraiton(FDCC) can be used alongside custom or CIS¡¯ benchmarks.  The XCCDF format specifies the required tests for one or more profiles.  During run-time the user will be able to select through CIS-CAT¡¯s GUI any of the given profiles specified in a XCCDF and CIS-CAT will then run the tests for that given profile.  With CIS-CAT an evaluation check can be specified in place or an Open Vulnerability and Assessment Language (OVAL) file can be specified with the specific ID of the OVAL test that should be evaluated.  The descriptions, CCE-IDs and other related artifacts entered in the XCCDF will be used in the XML and HTML results that CIS-CAT produces.  If Profiles are not present, as is the case with some CIS-provided XML, all Rules in the XCCDF document are processed unless they are disabled (unselected in XCCDF parlance). Multiple check specification languages are supported, including CIS' proprietary Embedded Check Language (ECL), and the Open Vulnerability Assessment Language (OVAL, subsequently described).