HP’s SCAP Scanner SCAP Implementation Statement

Statement of FDCC Implementation

The SCAP Scanner is designed to support Federal Desktop Core Compliance (FDCC) scans on both Microsoft Windows XP and Microsoft Windows Vista.

Statement of USGCB Implementation

The SCAP Scanner is designed to support United States Government Configuration Baseline (USGCB) scans on Microsoft Windows 7.

Statement of SCAP Implementation

The SCAP Scanner is designed to support the Security Content Automation Protocol (SCAP). SCAP is a set of six specifications:

SCAP defines named capabilities for products that adhere to the complete set or a subset of these specifications. The SCAP Scanner adheres to SCAP by using its component standards. When used as an FDCC/USGCB Scanner, the SCAP Scanner takes an SCAP data stream as input. XCCDF is used to determine the collection of items to test on a target system. CPE is used to ensure that the SCAP data stream applies to the target system. The SCAP Scanner uses OVAL as a basis for rule assessment, and provides both OVAL and XCCDF Results files on output. These results contain references to CVE and CCE identifiers where appropriate and available, and CVE identifiers can be linked directly to CVSS vectors for severity information.

Statement of CVE Implementation  

The SCAP Scanner implements the Common Vulnerability and Exposures (CVE) standard. The CVE standard provides a unique, public identifier for each software vulnerability that is discovered. CVE IDs are associated with CVSS scores for assessing vulnerability severity. The SCAP Scanner uses CVE IDs that correlate with OVAL definitions. Upon input, each OVAL definition that is of class “vulnerability” or class “patch” is linked with its corresponding CVE (where available) as specified in the element. This information is then displayed in the generated OVAL Results output that is created after the scanner is completed, regardless of whether the target system is vulnerable or not. In the output, the CVE reference can be found in the references of the OVAL definition, and provides a direct link to the appropriate sources (such as the National Vulnerability Database and MITRE) as described in the OVAL input file. Vulnerable systems will return a “true” result for a given CVE.

Statement of CCE Implementation  

The SCAP Scanner implements the Common Configuration and Exposures (CCE) standard. The CCE standard provides a unique, public identifier that describes a common configuration setting on a given operating system. CCE, therefore, facilitates the correlation of configuration data between commonly used benchmarks and tools. The SCAP Scanner uses CCE IDs that correlate with OVAL definitions. Upon input, each OVAL definition that is of class “compliance” is linked with its corresponding CCE (where available) as specified in the reference element. This information is then displayed in the generated OVAL Results output file that is created after the scanner is completed, regardless of whether the target system is compliant or not. In the output file, the CCE reference can be found in the references of the OVAL definition; it provides a direct link to the appropriate sources as described in the OVAL input file. Additionally, if a CCE ID is associated with an XCCDF rule, the corresponding CCE ID can be found in the element of each per the XCCDF Results format schema.

Statement of CPE Implementation  

The SCAP Scanner adheres to version 2.1 of the Common Platform Enumeration (CPE) standard. CPE is a structured naming scheme for identifying unique software or platforms. When used as an FDCC/USGCB Scanner, the SCAP Scanner uses CPE to ensure that the selected SCAP data stream is valid for the current platform. Each SCAP data stream must include a minimal CPE dictionary and corresponding OVAL file. Prior to standard OVAL processing, the CPE files are evaluated and compared to the CPE references in the accompanying XCCDF file. If one or more of the platforms listed in the XCCDF file are evaluated as “true,” the SCAP data stream is appropriate for the current system, and the SCAP Scanner proceeds to evaluate the data stream. If no platforms evaluate to “true,” the current SCAP data stream is not intended for the current target, and therefore no further interpretation will be done. All CPE platforms that evaluate to "true" on the target system will be listed in the XCCDF Results file."

Statement of CVSS Implementation   

The Common Vulnerability Scoring System (CVSS) provides an open framework for determining the relative severity of vulnerabilities in a standardized format. Each CVE is associated with a CVSS vector that provides information and a means of customization for an in-depth examination of the factors contributing to a given vulnerability’s risk. Alternatively, the CVSS vector can be distilled to a single CVSS base score, which provides a method for quick comparison between the relative risks associated with a set of vulnerabilities. CVSS information can be obtained through the SCAP Scanner in the OVAL Results output file that is obtained after assessing the target system. Each processed OVAL definition that is of “vulnerability” class has one or more CVEs associated with it. Each CVE identifier can then be used to obtain the CVSS information from the National Vulnerability Database (NVD) site, including the NIST-calculated CVSS score, the full CVSS vector, and the CVSS calculator.

Statement of OVAL Implementation  

The SCAP Scanner fully implements the Open Vulnerability and Assessment Language (OVAL) standard. OVAL is an open-source international standard for describing configuration information that can be used for system analysis and returned for further inspection. When used as an FDCC/USGCB Scanner, the SCAP Scanner uses OVAL files as supplied in an SCAP data stream. The SCAP Scanner ensures that all input OVAL files validate against the OVAL schema prior to interpretation. The selection of OVAL definitions to evaluate is controlled by an XCCDF Profile. After the OVAL interpretation is complete, an OVAL Results XML file is returned as output. It includes the result for every evaluated OVAL definition. When used as an Authenticated Vulnerability and Patch Scanner, the SCAP Scanner takes an OVAL file as input and provides complete OVAL interpretation that yields an OVAL Results file. The SCAP Scanner supports OVAL interpretation on Microsoft Windows, Red Hat Enterprise Linux, SuSE Linux Enterprise Server, Sun Solaris, HP-UX, and IBM AIX architectures.

Statement of XCCDF Implementation  

The SCAP Scanner adheres to version 1.1.4 of the Extensible Configuration Checklist Description Format (XCCDF) standard. XCCDF is an XML standard that describes a collection of configuration rules and provides a framework for common output and compliance scoring. After specifying an SCAP Data Stream as input, the SCAP Scanner uses XCCDF as the main driver for determining what configuration elements to assess. The SCAP Scanner ensures that XCCDF input files validate against the XCCDF schema and provides the relevant details if validation fails. On input, the user can specify which configuration rules to assess by using a named XCCDF Profile. If an invalid profile is detected, a list of valid profiles will be returned. The desired configuration rules are then run using internal OVAL interpretation for assessment. Upon completion, results for the target system are returned in XCCDF Results-compliant XML format, providing access to profile scoring information and configuration results for each processed XCCDF rule.