Vendor Provided Validation Details - NetIQ¢ç Secure Configuration Manager¢â 5.8 SP2 (SCM 5.8.2)

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of FDCC/USGCB Implementation

Secure Configuration Manager provides a variety of options to perform FDCC/USGCB computer security assessments.  Secure Configuration Manager operates agentlessly, agent-based, or with any combination of the two.  In most cases, some modifications of the FDCC/USGCB configuration are required to perform these assessments.  For agentless operation, these modifications may differ depending on whether the computer is a member of an Active Directory Domain or is standalone.

Agent-Based Assessments

Secure Configuration Manager offers a listening agent that can be installed on computers.  This server communicates with the agent over a FIPS-199 compliant TLS tunnel.  The agent requires a single inbound port be available to accept communication from the Secure Configuration Manager Core server.   By default that port is TCP 1622, but it is configurable.  The host-based firewall on each computer must be properly configured to allow this inbound communication to occur.

Proxy Agent Assessments

The FDCC/USGCB configurations are slightly different between Windows XP and Windows Vista/Windows 7, therefore the Secure Configuration Manager deviation requirements slightly differ between the two.  For Windows XP computers that are members of an Active Directory Domain, no modifications to the FDCC/USGCB are required.  Standalone XP computers require an exception to the host-based firewall rules to permit file and print sharing on TCP port 445.  Opening this port enables Secutor Magnus to utilize Microsoft¡¯s built-in remote administration facilities to perform remote security assessment.

Like Windows XP, Microsoft Vista/Windows 7 also requires inbound TCP port 445 be permitted through the host-based firewall.  That is true for both Active Directory Domain members and standalone systems.  Each of these configurations also requires the Remote Registry service be started.  Unlike Windows XP, the Vista FDCC configuration or Windows 7 USGCB has this service disabled and stopped by default.  The Remote Registry service is used by Secure Configuration Manager to enumerate registry values that help determine the security posture of computers.  Finally, standalone Vista/Windows 7 systems require the registry value LocalAccountTokenFilterPolicy be added and set to ¡°1¡±.  By default, the User Access Control system in Windows Vista/Windows 7 does not permit local Security Account Manager accounts to be used for remote administration.  Setting this registry value allows standalone Vista/Windows 7 computers to be remotely administered and assessed.

Statement of SCAP Implementation  

Secure Configuration Manager leverages the ThreatGuard assessment engine to perform fast and accurate SCAP assessments. Secure Configuration Manager is built around support for the Security Content Automation Protocol (SCAP). SCAP is a collection of six open standards developed jointly by the government and private sector. Security content written to the SCAP standard can by used by any product that supports the standard. This allows regulatory authorities and configuration managers a means to construct much more definitive guidance than was possible in the past. The guidance is written in the standard format and passed to security products for automated processing and reporting; common input and common output. The ThreatGuard engine includes support for all six protocols. It uses the XCCDF and OVAL assessment protocols to determine what items to check and how to check them. It uses the CPE, CCE, CVSS, and CVE reference protocols to ensure all rules are accurately and appropriately reflected in Secure Configuration Manager. The SCAP standard references are visible in the interface, reports, and export files.

Statement of CVE Implementation  

NetIQ Secure Configuration Manager includes support for Common Vulnerabilities and Exposures (CVE) names. CVE provides standardized references to known vulnerabilities.  This unique identifier provides a common way to refer to vulnerabilities. CVE is the oldest of the six protocols and is directed at vulnerabilities rather than compliance items. Patch content can optionally refer to CVE names, allowing the end user to track attack vectors associated with missing patches.

Secure Configuration Manager includes support for CVE names through sets of policy templates that collect security checks for individual CVE bulletins by the years in which they were originally published. These vulnerability policy templates are published on the NetIQ AutoSync update service Web site that Secure Configuration Manager can automatically access.

There is a set of eight vulnerability policy templates for Windows platforms and a similar set of eight for UNIX platforms that cover vulnerabilities from 2007 to 2011. Four policy templates of each set are collections of security checks for high-severity CVE bulletins for a given year and have names like NetIQ High Severity Windows Vulnerabilities for 2011 or NetIQ High Severity UNIX Vulnerabilities for 2009. The other four policy templates of each set are collections of security checks for medium- or low-severity CVE bulletins for a given year. These have names like NetIQ Medium and Low Severity Windows Vulnerabilities for 2010.

When downloaded, these vulnerability policy templates can be found in the Secure Configuration Manager console in the tree pane view under Security Knowledge à Policy Templates à Bulletins. The CVE bulletins covered by individual vulnerability policy templates are displayed in this console view when a template is selected. More information about CVE bulletins, including a vulnerability description, CVSS Base Score, and CVSS Vector can be displayed by the Template Details button when a vulnerability policy template is opened in the Policy Template Wizard. The Template Details document also provides hyperlinks to more CVE bulletin information available on the National Vulnerability Database Web site.

For more information about using the AutoSync update service or running policy templates, see the User Guide for Secure Configuration Manager.

When you run a vulnerability policy template against Windows or UNIX endpoints, the security checks contained within the policy template determine whether the vulnerability conditions described by the CVE bulletins are applicable to the environment. If a bulletin applies to the environment, the security check then determines whether the vendor patches that address the vulnerability have been applied to the system.

Statement of CCE Implementation 

Secure Configuration Manager includes support for Common Configuration Enumeration (CCE) references. CCE provides a standard notation and reference to configuration settings.  The SCAP data stream contains CCE tags in the XCCDF documents.  NetIQ generates Secure Configuration Manager assessment templates directly from the SCAP data stream, raising the CCE references from the SCAP content to populate user interfaces, reports, and exports.  In addition, Secure Configuration Manager includes a search feature that allows users to search the system and results for a given CCE number. By including CCE references in the SCAP content and consuming them into Secure Configuration Manager, it is possible to easily compare very specific configuration settings across systems.

By including CCE references in the content, SCAP supports a wide range of comparison possibilities.  Configuration items can be tracked and compared across multiple systems using any combination of SCAP compatible tools.  Magnus fully supports the concept of interoperability by simply processing the SCAP content as intended.

Statement of CPE Implementation 

Secure Configuration Manager includes automated support for the Common Platform Enumeration (CPE) standard. CPE provides a standard notation and reference to operating systems and applications. An operating system can be referred to in different ways, such as "Windows XP" or "Microsoft Windows XP".  CPE introduces a standard notation, such as

"cpe cpe:/o:microsoft:windows_xp" and "cpe:/a:microsoft:ie:7", enabling products to share SCAP results without pre-coordinating operating system and application references.  The SCAP data stream also uses CPE to specify the operating system to which a benchmark applies.  Secure Configuration Manager processes this CPE content to automatically determine whether a selected SCAP template applies to the selected assessment target.

The SCAP data stream provides OVAL-based checks that precisely determine whether or not a benchmark applies to a network asset. Compatible tools can use these tests to decide whether or not to assess a benchmark. They can also use this check to filter the list of available benchmarks for a selected network asset. The Secure Configuration Manager/S-CAT solution returns an error for each security check sent to an endpoint to which it does not apply.

Statement of CVSS Implementation 

The Secure Configuration Manager/S-CAT solution provides support for the Common Vulnerability Scoring System (CVSS). CVSS represents a standardized approach to measuring the impacts of IT vulnerabilities. Each CVE includes an associated CVSS vector for use in calculating the relative severity of vulnerabilities. The CVE bulletins covered by the vulnerability policy templates published on the AutoSync service for Secure Configuration Manager include the CVSS score and vector in the HTML document associated with each vulnerability policy template.  These HTML documents can be viewed either from the Secure Configuration Manager AutoSync Wizard or from the Policy Template Wizard once the CVE-based policy templates are downloaded from the AutoSync service.

The SCAP data stream currently uses a flat scoring methodology, giving all compliance checks the same level of importance (weight).  These weights are compatible with CVSS scoring.  NIST, through their National Vulnerability Database (NVD), plans to include CVSS vectors and scores for each CCE compliance item.  That functionality will enable the Secure Configuration Manager/S-CAT solution to provide a more informative view of the relative impact of mis-configuration issues. 

Statement of OVAL Implementation 

Secure Configuration Manager includes fully integrated support for the Open Vulnerability and Assessment Language (OVAL) standard when processing the SCAP data streams by using the integrated ThreatGuard SCAP assessment engine. OVAL specifies a standardized approach for assessing each system setting. While XCCDF describes what to check, OVAL specifies how to perform the check. The Secure Configuration Manager OVAL interpreter was engineered from the beginning to assess local computers and remote targets using agentless 'over the wire' technology. This OVAL interpreter currently supports Microsoft Windows, as well as Solaris, HP-UX, Linux, and Cisco IOS.  Support for additional operating systems and applications, such as mainframes and databases, will be added as new OVAL content is developed.  The assessment engine automatically processes the OVAL definition content as referenced in the XCCDF file to perform assessment activities. The results of the OVAL checks processed as part of the NetIQ-ThreatGuard integrated process, providing standardized end results to the user. OVAL definition IDs are displayed by the Secure Configuration Manager Results Viewer.

Statement of XCCDF Implementation 

Secure Configuration Manager includes seamless support for the eXtensible Configuration Checklist Description Format (XCCDF) through the integrated ThreatGuard SCAP assessment engine. XCCDF specifies system settings for automated tools to assess. XCCDF specifies what to check and is the primary protocol required to process the SCAP data stream. The compliance checklist content, like that developed by NIST for the Federal Desktop Core Configuration (FDCC/USGCB), is written in the standard XCCDF format. These files and the accompanying Open Vulnerability and Assessment Language (OVAL) files are included with the Secure Configuration Manager/S-CAT solution and are translated directly to Secure Configuration Manager assessment templates which are then used directly by the assessment engine. OVAL specifies how to perform the checks specified by XCCDF. Secure Configuration Manager generates and displays assessment results in its graphical interface and reports.  A configuration change to Secure Configuration Manager will cause Secure Configuration Manager to produce XCCDF results format files from the converted assessment templates.