IBM Tivoli Endpoint Management for Security and Compliance (TEMSC) SCAP Implementation Statement

 

Revision History

Date

Revision

Description

Author

September 20, 2012

1.0

Initial Release

Noah Salzman

 

 

 

 

 

 

 

 

 

 

 

 

 

SCAP Implementation Statement for TEMSC capabilities:

                FDCC Scanner

                USGCB Scanner

                Authenticated Configuration Scanner

                Authenticated Vulnerability and Patch Scanner

 

Statement of FDCC and USGCB Implementation

The TEM Security and Compliance product and TEM Platform will run natively within an FDCC hardened environment and requires no change deviations from the FDCC standard on any platform.

However, running the TEM solution may slow down the performance and ability of a TEM agent to receive requests from the server. The TEM agent receives server requests from the server on port 52311. In order for this functionality to work efficiently, the Windows Firewall will need to be modified to allow communication to this port.

If a customer does not open this port, the TEM agent will proactively reach out to the server every 15 minutes, by default, to receive an update and identify anything new. Thus, the solution does not require changes to the FDCC default configuration.

Statement of SCAP Implementation  253

The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation.

TEM exists to maintain the health and improve the security of every computing device in the world – fixed or mobile – physical or virtual – through a high-performance, single infrastructure, single console, and single agent solution. Any device, anywhere, anytime! The TEM unified management platform provides high-performance systems and security management solutions for systems lifecycle management, endpoint protection, and security configuration and vulnerability management.

The TEM Security and Compliance product has adopted and now supports the use of SCAP to generate mis-configuration, vulnerability, and patch based assessment rules so organizations can discover and report on software vulnerabilities, assess the impact of those vulnerabilities, enumerate and remediate the mis-configurations identified, and report on the current state of a system based on the SCAP defined policy definitions. TEM consumes a SCAP-expressed data stream, produces a set of policies known as Fixlet messages, and delivers real-time assessment and remediation on a global scale.

TEM managed systems continuously discover, assess, secure and remediate themselves according to an organization’s SCAP-based policies and practices as well as the operating context in which it finds itself – mobile, connected, disconnected, etc. Without requiring significant investments in dedicated hardware, management resources, or professional services, TEM automates enterprise-scale desktop and server management, malware defenses, and IT policy enforcement without compromising network performance, end-user productivity, or security. TEM delivers superior, customer-documented, return-on-investment by reducing labor and infrastructure costs and automating critical management functions.

Statement of CVE Implementation 

Common Vulnerability Enumeration (CVE) is a dictionary of publicly known information security vulnerabilities and exposures that are used by both public and private sectors to enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.

IBM is a leading global provider of high-performance systems and security management software for organizations. One of the many features of the Security Configuration and Vulnerability Management Platform includes the ability to discover and report on software vulnerabilities for many different computing platforms. TEM has actively supported CVE for several versions of the product and enjoys a mature product integration with CVE content. For any given security patch or vulnerability that has an associated CVE ID, TEM will display that CVE ID within the TEM Console. In the case where a single vulnerability is associated with multiple CVE IDs, all will be cross-referenced and displayed.

Users can easily find the CVE ID associated with a given security patch or vulnerability by opening the TEM Console and navigating to a Patch or Vulnerability Fixlet Site, double-clicking on a relevant Fixlet, selecting the Details tab, and viewing the CVE ID. The CVE ID is also accessible from other views within the product and can be leveraged as part of the reporting criteria for detailed reports and summary reports on individual end-point systems or for a large group of systems reported on in the aggregate.

Statement of CCE Implementation   240

Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. For example, CCE Identifiers can be used to associate checks in configuration assessment tools with statements in configuration best-practice documents.

IBM is a leading global provider of high-performance systems and security management software for organizations. One of the many features of the Security Configuration and Vulnerability Management solution pack includes the ability to assess workstations, laptops, servers and mobile computing devices against common configuration settings to identify mis-configuration states in a heterogeneous computing environment. TEM fully supports CCE and displays the CCE ID for each mis-configuration for which there is a CCE ID within the TEM Console. In the case where a mis-configuration is associated with multiple CCE IDs all will be cross-referenced and displayed.

Users can easily find the CCE ID associated with a configuration setting by opening the TEM Console and navigating to a configuration setting consumed from an SCAP-expressed data stream, clicking on a Fixlet message that represents a configuration setting, and viewing the Source ID column. The Source ID will display the CCE ID. The CCE ID is also accessible from other views within the product and can be leveraged as part of the reporting criteria for detailed reports and summary reports on individual end-point systems or for a large group of systems reported on in the aggregate.

Statement of CPE Implementation   221

CPE is a structured naming scheme for information technology systems, platforms, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name.

IBM is a leading global provider of high-performance systems and security management software for organizations. One of the many features of the Security Configuration and Vulnerability Management solution pack includes the ability to leverage the CPE as a check and balance to ensure that configuration settings are assessed on the correct system. Whether the system is a Windows XP, Vista, 2000, 2003, Unix or other technology platform, the CPE ID can be used to uniquely identify a given platform and ensure that assessment is done appropriately.

IBM customers can easily optimize the assessment and remediation of system configurations by targeting systems by platform, in addition to numerous other targeting mechanisms. By targeting a particular platform, customers can eliminate the overhead of scanning systems inappropriately and against configuration checks that have no applicability. Configuration checks are assessed in real-time based on the platform and policies can be enforced, enabling administrators to have real-time visibility and control over platforms as needed in a distributed or non-distributed computing environment.

Statement of CVSS Implementation    234

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores.

IBM is a leading provider of high-performance systems and security management software for organizations. One of the many features of the Security Configuration and Vulnerability Management solution pack includes the ability to assess and report on vulnerabilities and the ability to quantify the impact of those vulnerabilities for multiple computing platforms. TEM fully supports the CVSS standard and displays both the CVSS base score for each applicable vulnerability and the CVSS Base Score Vector used to produce the score.

TEM administrators can access the CVSS score and the associated vector string from within the TEM Console. For additional detail, administrators can navigate to the desired vulnerability definition from within the Fixlet messages. TEM provides a link for administrators to connect to the CVSS definition located on the NVD web site. The TEM Platform is a powerful tool that further enhances the value of CVSS by displaying this common metric for both detailed reports on individual end-point systems or for a large group of systems reported on in the aggregate.

Statement of OVAL Implementation  229

The Open Vulnerability and Assessment Language (OVAL) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. The OVAL language is a collection of XML schema for representing system information, expressing specific machine states, and reporting the results of an assessment.

IBM is a leading provider of high-performance systems and security management software for enterprise customers and has been certified as OVAL Compatible since October 2006. Through a repository of vulnerability assessment policies, IBM provides its customers with the ability to assess their managed computers against OVAL vulnerability definitions using real-time data tracking based on the data elements of each definition. These policies are automatically retrieved by the IBM product within an organization's network. Once validated for authenticity, the policies are made available to the TEM client installed on each managed computer and added to their local library of configuration policies. The agent, quietly and continuously evaluates the state of the machine against each policy so that any instance of non-compliance can be immediately reported to the TEM Server for review by an administrator. If pre-authorized by an administrator, the appropriate corrective action will be applied to the computer immediately upon mis-configuration detection — even to remote or mobile users who are not connected to the organization's network.

Statement of XCCDF Implementation   253

The Extensible Configuration Checklist Description Format (XCCDF) is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems and is the core element to the SCAP-expressed data stream. The specification also defines a data model and format for storing benchmark compliance testing results.

IBM is a leading provider of high-performance systems and security management software for organizations. One of the many features of the Security and Compliance product includes the ability to consume a SCAP-Expressed data stream, which includes the XCCDF component, and translate the underlying configuration checks that are defined into TEM-compatible Fixlet messages. These Fixlet messages enable administrators to assess their computing assets against the SCAP defined configuration rules in real-time across one, thousands, or hundreds of thousands of endpoints regardless of location.

Once the SCAP converted configuration rules are imported into the TEM Console, any system under TEM management control, both on the managed network and off the managed network, can begin to immediately assess themselves against the defined configuration rules. The results of those configuration checks are relayed to the TEM Console where administrators can view the results and generate detailed reports on an individual system or large groups of systems in the aggregate.

 TEM also provides the ability to export the results of the configuration checks into the defined XCCDF report format such that the organization can easily store those reports or send the report to another party.