Vendor Provided Validation Details - Prism Microsystems EventTracker Enterprise 7.0

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

 

Statement of SCAP Implementation

Prism Microsystems EventTracker supports the following SCAP capabilities:

 

EventTracker implements the SCAP 1.0 standard by implementing

 

EventTracker contains built-in SCAP content for FDCC and other benchmarks. EventTracker also allows the user to validate and import the latest SCAP content for the supplied benchmarks. EventTracker provides a Web interface that can be used to schedule the assessment or perform on demand assessment against the systems that have EventTracker agent installed on them. The EventTracker user interface contains references to CCE entries for each of the rule results. Where applicable, the results also contain OVAL reference, CVE references, and CPE references. Each target system is assessed using the CPE dictionary and has its operating system identified with a CPE reference. All CVE references have an external link to the NVD.

 

Statement of CVE Implementation

Prism Microsystems EventTracker includes support for Common Vulnerabilities and Exposures (CVE) names. CVE's common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization's security tools. Prism Microsystems EventTracker implements the CVE standard by displaying appropriate CVE identifiers with every definition result for which such an identifier exists; these are predominantly definition results that have a Definition Class of "vulnerability" or ¡°patch¡±. These CVE identifiers are extracted from the SCAP content imported by EventTracker.

The EventTracker user interface contains links to an HTML report of results of patch content that is part of the imported SCAP content. For every definition result for which a CVE identifier is available, the CVE identifier is displayed within this HTML report. Each CVE identifier is expressed as a link to the NVD site. These links are displayed irrespective of whether or not the vulnerability is actually present, as they are associated with definition results within the imported SCAP content.

 

Statement of CCE Implementation

Prism Microsystems EventTracker includes support for Common Configuration Enumeration (CCE) references. The CCE List provides unique identifiers to security-related system configuration issues in order to improve workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and tools. CCE's common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization's security tools.

Prism Microsystems EventTracker implements the CCE standard by displaying appropriate CCE identifiers with every definition result for which such an identifier exists; these are predominantly definition results that have a Definition Class of "compliance". These CCE identifiers are extracted from the SCAP content imported by EventTracker.

In addition to displaying the CCE identifiers in user interface that displays XCCDF rule results, EventTracker allows the user to export the assessment results in MS Excel format. EventTracker allows the user to export the assessment results in the comma separated format that contains CCE identifier and the rule result. EventTracker also includes a search feature that allows users to search the assessment results for a given CCE identifier.

 

Statement of CPE Implementation

Prism Microsystems EventTracker includes support for the Common Platform Enumeration (CPE) standard. CPE is a structured naming scheme for information technology systems, platforms, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name. CPE provides a standard notation and reference to operating systems and applications. An operating system can be referred to in many different ways such as "Windows XP" vs. "Microsoft Windows XP". CPE introduces a standard notation, such as "cpe cpe:/o:microsoft:windows_xp" and "cpe:/a:microsoft:ie:7", enabling products to share SCAP results without pre-coordinating operating system and application references. The SCAP DataStream also uses CPE to specify the OS to which a benchmark applies.

Prism Microsystems EventTracker implements the CPE 2.2 standard by displaying appropriate CPE identifiers with every definition result for which such an identifier exists; these are predominantly definition results that have a Definition Class of "inventory". These CPE identifiers are extracted from the SCAP content imported by EventTracker. EventTracker checks for validity of a benchmark against the target system using the CPE dictionary and CPE OVAL definitions that are included in the SCAP content. Each target system is assessed using CPE dictionary and has its operating system identified with a CPE reference. EventTracker user interface contains link to an HTML report of results of CPE definitions that is part of the imported SCAP content. For every definition result for which a CPE identifier is available, the CPE identifier is displayed within this HTML report.

 

Statement of CVSS Implementation

EventTracker fully supports version 2.0 of the Common Vulnerability Scoring System (CVSS) standard to the extent that is required for providing a SCAP validated tool with FDCC Scanner capability. CVSS is an open framework that helps organizations prioritizes vulnerabilities so that they can remediate higher priority vulnerabilities sooner than lower priority vulnerabilities.

Each Common Vulnerabilities and Exposures (CVE) entry has a CVSS vector for calculating the relative severity of vulnerabilities. Currently, the SCAP XCCDF input data streams for FDCC available on the National Vulnerabilities Database (NVD) Web site assign the same priority to all compliance checks and these priorities are compatible with CVSS.


EventTracker preserves the only CVE relationships that exist in the FDCC data stream embodied in the references established by the PatchsUpToDate rule. These references, which are to the actual OVAL definitions, will resolve to the fdcc-xxxx-patches document or the information published on the NVD web site, depending on Internet connectivity.

EventTracker neither uses CVSS nor displays CVSS data.

 

Statement of OVAL Implementation

Prism Microsystems EventTracker includes support for the Open Vulnerability and Assessment Language (OVAL) standard. OVAL specifies a standardized approach for assessing each system setting. While XCCDF describes what to check, OVAL specifies how to perform the check.

Prism Microsystems EventTracker implements the OVAL standard by providing the capability of directly importing SCAP content. The SCAP content itself is composed of a bundle of XML files, some of which are in OVAL format. EventTracker contains a validation routine that checks OVAL files against OVAL definition schematron, and reports any errors during the import process. EventTracker automatically processes the OVAL definition content as referenced in the XCCDF file to perform assessment activities at scheduled time. For OVAL-based vulnerability content, EventTracker can load the OVAL content and perform vulnerability assessments against a variety of operating systems. The EventTracker OVAL interpreter is capable of assessing both local computers and remote targets. EventTracker uses MITRE¡¯s reference implementation of OVAL as the SCAP checking engine.

 

Statement of XCCDF Implementation

Prism Microsystems EventTracker includes support for the eXtensible Configuration Checklist Description Format (XCCDF). XCCDF specifies system settings for automated tools to assess. XCCDF specifies what to check. It is the primary protocol required to process the SCAP datastream. Compliance checklist content, like those developed by NIST for the Federal Desktop Core Configuration (FDCC), is written in the standard XCCDF format.

Prism Microsystems EventTracker implements the Extensible Configuration Checklist Description Format XCCDF 1.1.4 standard by providing the capability of directly importing SCAP content. The SCAP content itself is composed of a bundle of XML files, some of which are in XCCDF-compliant format. EventTracker contains a validation routine that checks XCCDF files against schema documents, and reports any errors during the import process.

Before processing the XCCDF content of the benchmark, if required EventTracker resolves the XCCDF file as per the specification. After resolving the XCCDF file, EventTracker applies the profile specified in the input and, if required, generates OVAL external variables file. Along with displaying the assessment results in the user interface, EventTracker generates XCCDF results file according to the specification and schema documents. The user interface also allows a user to declare deviations, create Plans of Actions and Milestones (POA&Ms) for the associated remediation and use the output XCCDF for configuration reporting to authoritative oversight organizations.