Vendor Provided Validation Details - NCircle Configuration Compliance Manager 5.9.2

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. 

 

Statement of FDCC Implementation

In order for an FDCC-compliant host to be scanned, the following configuration changes must be made.

 

Ensure Remote Registry Service is running

The Remote Registry Service must be running in order to allow CCM to acquire information from the targeted host. This information is used to check compliance with the FDCC policy.

1. From the Start menu, select Control Panel.

2. From the Control Panel, select Administrative Tools.

3. From Administrative Tools, select Services.

4. Locate and click on the "Remote Registry" entry. Remote Registry should be started, and should

be set to start automatically.

 

Set Firewall Exceptions

In order for CCM to connect to the target host, access must be granted via the firewall policies.

1. From the Start menu, select Run.

2. In the Run box, type "gpedit.msc". The Group Policy application appears.

3. Expand the Local Computer Policy entry.

4. Expand the Computer Configuration entry.

5. Expand the Administrative Templates entry.

6. Expand the Network Connections entry.

7. Expand the Windows Firewall entry. There are two entries: Domain Profile, and Standard Profile.

8. Double-click Domain Profile. A series of firewall policies appears.

9. Set "Windows Firewall: Do not allow exceptions" to Disable.

10. Set "Windows Firewall: Allow remote administration exception" to Enable.

11. Set "Windows Firewall: Allow file and printer sharing exception" to Enable.

12. Double-click Standard Profile. A series of firewall policies appears.

13. Set "Windows Firewall: Do not allow exceptions" to Disable.

14. Set "Windows Firewall: Allow remote administration exception" to Enable.

15. Set "Windows Firewall: Allow file and printer sharing exception" to Enable.

16. Close the Group Policy editor.

 

Set Local Account Token Filter Policy (Vista only)

It may be necessary to set the local account token filter policy when scanning Vista using the local administrator credentials.

1. From the Start menu, select the Search box.

2. In the Search box, type ¡°regedit¡±. The Registry Editor application appears.

3. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

4. Create a new DWORD value named LocalAccountTokenFilterPolicy.

5. Set the value of LocalAccountTokenFilterPolicy to 1.

6. Close the Registry Editor.

 

Disable Simple File Sharing (XP only)

It may be necessary to disable Simple File Sharing when scanning Windows XP.

1. From the Start menu, select ¡°My Computer¡±.

2. In the File Menu select ¡°Tools¡± and then ¡°Folder Options¡¦¡±

3. Click on the ¡°View¡± tab in the Folder Options dialogue.

4. Uncheck ¡°Use simple file sharing (Recommended)¡± from the list of Advanced Settings.

5. Click ¡°Apply¡±

 

Statement of SCAP Implementation   

nCircle CCM implements the SCAP standard by implementing Common Vulnerability Enumeration (CVE), Common Configuration Enumeration (CCE), Common Platform Enumeration (CPE), Common Vulnerability Scoring System (CVSS), eXtensible Configuration Checklist Documentation Format (XCCDF) and Open Vulnerability Assessment Language (OVAL). Specifically, CCM parses OVAL and XCCDF files to import policies and relevant tests. These policies and tests are used to assess compliance of the hosts under consideration. As output, CCM can produce either an XCCDF-compliant report, or an HTML report derived from the XCCDF-compliant report.

The reports contain references to CCE entries (in the current format, and the v4 format) for each of the rule results. Where applicable, definition results list the OVAL reference, CVE references, and CPE references. Moreover, each target host has its operating system identified with a CPE reference. All CVE references have an external link to MITRE and to NVD. The link to NVD gives access to the CVSS score, calculated by NIST.

 

Statement of CVE Implementation  

nCircle CCM implements the CVE standard by displaying appropriate CVE identifiers with every definition result for which such an identifier exists; these are predominantly definition results that have a Definition Class of "vulnerability". These CVE identifiers are extracted from the SCAP content imported by CCM, and are consequently updated whenever new SCAP content is released. CCM provides user access to this implementation via the following mechanism:

CCM is capable of creating an HTML report that is derived from the normal XCCDF output produced after an FDCC scan. For every definition result for which a CVE identifier is available,  the CVE identifier is displayed within the report. Moreover, each CVE identifier is expressed as two links: the first leading to the MITRE site, and the second leading to the NVD site. These links are displayed irrespective of whether or not the vulnerability is actually present, as they are associated with definition results within the imported SCAP content.

 

Statement of CCE Implementation  

nCircle CCM implements the CCE standard by displaying appropriate CCE identifiers with every rule result, and with every definition result that has a Definition Class of "compliance". Both the current CCE identifier version (version 5), and the previous version of CCE identifiers (version 4), are displayed. These CCE identifiers are extracted from the SCAP content imported by CCM, and are consequently updated whenever new SCAP content is released. They are displayed regardless of whether the test is applicable to the targeted host or not. CCM provides user access to this implementation via the following mechanisms:

CCM produces an XCCDF-compliant report after FDCC scans. CCE identifiers are present in all relevant definition results, and can be extracted using XML parsing tools. CCM is capable of creating an HTML report that is derived from the normal XCCDF output produced after an FDCC scan. For every definition result for which a CCE identifier is available, the CCE identifier is displayed within the report.

 

Statement of CPE Implementation 

nCircle CCM implements the CPE standard by displaying appropriate CPE identifiers with every definition result for which such an identifier exists; these are predominantly definition results that have a Definition Class of "inventory". These CPE identifiers are extracted from the SCAP content imported by CCM, and are consequently updated whenever new SCAP content is released. CCM provides user access to this implementation via the following mechanisms:

CCM produces an XCCDF-compliant report after FDCC scans. CPE identifiers are present in all relevant definition results. Moreover, the operating system of all targeted hosts, whenever the operating system can be identified, has an accompanying CPE identifier.

CCM is capable of creating an HTML report that is derived from the normal XCCDF output produced after an FDCC scan. For every definition result for which a CPE identifier is available, the CPE identifier is displayed within the report. Moreover, the operating system of all targeted hosts, whenever the operating system can be identified, is displayed with an accompanying CPE identifier.

 

Statement of CVSS Implementation 

nCircle CCM implements the CVSS standard by making use of the CVE identifiers displayed with every definition result for which such an identifier exists; these are predominantly definition results that have a Definition Class of "vulnerability". The CVE identifiers are extracted from the SCAP content imported by CCM, and are consequently updated whenever new SCAP content is released. CCM provides user access to this implementation via the following mechanism:

CCM is capable of creating an HTML report that is derived from the normal XCCDF output produced after an FDCC scan. For every definition result for which a CVE identifier is available, the CVE identifier is displayed within the report. Moreover, each CVE identifier is expressed as two links: the first leading to the MITRE site, and the second leading to the NVD site. The link leading to the NVD site displays the NIST-calculated CVSS score, and provides access to the CVSS vector and calculator. These links are displayed irrespective of whether or not the vulnerability is actually present, as they are associated with definition results within the imported SCAP content.

 

Statement of OVAL Implementation  

nCircle CCM implements the XCCDF standard by providing the capability of directly importing SCAP content. The SCAP content itself is composed of a bundle of XML files, some of which are in XCCDF-compliant format. CCM contains a validation routine that checks XCCDF files against schema documents, and reports any errors during the import process. In conjunction with OVAL files, CCM produces policies and the relevant tests, such as the FDCC policy, that can be run against targeted hosts. CCM provides user access to this implementation via the following mechanism:

As output, CCM is capable of producing an XCCDF-compliant report that can be used to verify the compliance of the targeted host with FDCC standards. As the report is an XML file, it can be processed via XSLT or other XML parsing tools. For example, CCM transforms the XCCDF report into an HTML report in order to improve the human-computer interface, as well as to provide links to relevant external data sources.

 

Statement of XCCDF Implementation 

nCircle CCM implements the OVAL standard by providing the capability of directly importing SCAP content. The SCAP content itself is composed of a bundle of XML files, some of which are in OVAL format. CCM contains a validation routine that checks OVAL files against schema documents, and reports any errors during the import process. In conjunction with XCCDF files, CCM produces policies and the relevant tests, such as the FDCC policy, that can be run against targeted hosts. CCM provides user access to this implementation via the following mechanisms:

As output, CCM is capable of producing an HTML report that can be used to verify the compliance of the targeted host with FDCC standards. This report displays the specific OVAL rule for each of the relevant definition results, and depending on the specific result, a link is also provided to the MITRE's OVAL site, allowing users to view the OVAL definition.