Vendor Provided Validation Details - QualysGuard FDCC Module 1.2

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

 

Statement of OVAL Implementation

The Open Vulnerability Assessment Language is used by the FDCC module to define and test system vulnerabilities, patches and configuration values. OVAL content consists of configuration and patch definitions. The FDCC module supports the OVAL 5.3 schema and will support subsequent versions. Users have the ability to import custom OVAL content for evaluation into their account through the user interface. The FDCC module interprets OVAL definitions using the OVAL Definition Interpreter (based on the OVAL 5.3 schema), and executes scans remotely against target machines and returns the OVAL test results for evaluation against XCCDF checklists and benchmarks.

After the remote scan completes successfully, users can run FDCC compliance reports that identify OVAL references, including definition of the actual tests executed, objects and variables used, and OVAL state, the expected data types and values, as well as the OVAL test results for OVAL definitions and test references.

The FDCC Policy XML Report is an XCCDF result document which adheres to the XCCDF specification. The FDCC Policy XML Report constrains the portion of the XCCDF 1.1.4 specification dealing with XCCDF test results. The <check> element, a child of the <Rule> element, holds the OVAL specification for the rule.

The evidence section in the FDCC Individual Host Report and the FDCC Rule Pass/Fail Report includes OVAL information when evidence is requested in the report setup. The evidence content for each rule is displayed in a tree like structure with nodes that represent the logic of the rule and the scan tests performed on each host.

 

Statement of CCE Implementation

Common Configuration Enumeration (CCE) Version 5 is used in the FDCC module to assign an identifier and description to known configuration issues. The CCE Version 5 information is extracted from the XCCDF SCAP 1.0 definition XML file (OVAL 5.3 schema) in the FDCC policy selected as input for the scan.

Once the scan is complete, users can view CCE information in the FDCC compliance reports.

The FDCC Policy XML Report is an XCCDF result document which adheres to the XCCDF specification. The FDCC Policy XML Report constrains the portion of the XCCDF 1.1.4 specification dealing with XCCDF test results. The <impact-metric> element, a child of the <Rule> element associates a rule with a CCE identifier and a CVSS information.

The special patches for FDCC scans are reported in the FDCC Individual Host Report when evidence is requested in the report setup. The special rule titled "Security Patches Up-To-Date" lists all patches defined in the "patches" file for the FDCC policy. For each CVE tested, the CVSS base score and the attack vector are displayed.

 

Statement of CPE Implementation

The FDCC module provides support for the Common Platform Enumeration (CPE) Version 2.2. CPE is a structured naming scheme for information technology systems, platforms, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name.

CPE is used by the FDCC module to align SCAP data streams and assessment results with the intended platforms. CPE values are imported from SCAP data streams and are used in conjunction with OVAL definitions and the scanner appliance.

Once the scan is complete, users can view CPE information in the FDCC Policy XML Report.

The FDCC Policy XML Report is an XCCDF result document which adheres to the XCCDF specification. The FDCC Policy XML Report constrains the portion of the XCCDF 1.1.4 specification dealing with XCCDF test results. The system information contains the target NetBIOS hostname, actual operating system detected, operating system version as defined by the target, CPE string, and IP address of the target.

 

Statement of CVE Implementation

Common Vulnerability Enumeration (CVE) is used in the FDCC module to associate software patches reported to a corresponding CVE ID. These could be for both missing and applied patches on the target system. The patch description and CVE ID information is extracted from the OVAL patches SCAP 1.0 definition XML file in the FDCC policy provided as an input for the scan.

Once the scan is complete, users can view CVE information in the FDCC interactive reports.

The special patches for FDCC scans are reported in FDCC Individual Host Report when evidence is selected in the report setup. The special rule titled "Security Patches Up-To-Date" lists all patches defined in the "patches" file for the FDCC policy. For each CVE tested, users can follow links to view information about the patch tested and its associated CVE ID definitions. Also CVSS information associated with each CVE ID is displayed, including the base score and the attack vector.

 

Statement of CVSS Implementation

The FDCC module updates CVSS scores for CVEs from the NVD website daily and saves the updates in the Security Operations Center (SOC) maintained by the service.

Once the scan is complete, users can view CVSS information in the FDCC compliance reports.

The CVSS base scores for rules are included in the FDCC Policy XML Report. This report is an XCCDF result document which adheres to the XCCDF specification. The FDCC Policy XML Report constrains the portion of the XCCDF 1.1.4 specification dealing with XCCDF test results. The CVSS base score for each rule is reported in the <impact-metric> element, a child of the <Rule> element.

The special patches for FDCC scans are reported in the FDCC Individual Host Report when evidence is requested in the report setup. The special rule titled "Security Patches Up-To-Date" lists all patches defined in the "patches" file for the FDCC policy. For each CVE tested, the CVSS base score and the attack vector are displayed.

CVSS base and temporal scores are also available in the user's account for all vulnerabilities in the Knowledgebase that have a CVE. Once the user is logged into the service, the Knowledgebase displays all the vulnerability information including CVE IDs, vendor specific references, and CVSS base and temporal scores. CVSS scores are also displayed in detailed vulnerability scan reports and the Host Information page (accessed via the Asset Search, Asset Groups and Host Assets sections).

 

Statement of SCAP Implementation

The Security Content Automation Protocol (SCAP) is a combination of six interoperable specifications for organizing and expressing security information in standardized ways. The SCAP specifications are open standards developed from community participation including government organizations as well as non-profit organizations and businesses in the private sector. The open standards allow regulatory authorities and security administrators to construct guidance, which is encapsulated in the format prescribed by the specifications. The FDCC module imports the guidance in the form of an FDCC policy files and evaluates hosts against the guidance using its automated scanning and reporting features.

The FDCC module is compatible with SCAP Version 1.0 components including CVE, CCE, CPE, CVSS, XCCDF and OVAL. The FDCC module adheres to all of the component specifications. The eXtensible Configuration Checklist Description Format (XCCDF) Version 1.1.4 specification determines which rules are checked. The Vulnerability Assessment Language (OVAL) Version 5.3 specification determines how the tests for the rules are performed. The Common Vulnerabilities and Exposures (CVE) specification determines the software patches for missing or applied patches on systems. The Common Configuration Enumeration (CCE) Version 5 specification determines how to assign an identifier and description to known configuration issues on systems. The Common Platform Enumeration (CPE) Version 2.2 specification determines how to assign each host's name and description according to a generalized syntax for Uniform Resource Identifiers (URI).

The FDCC module validates the SCAP component content when imported as an FDCC policy and references are provided in the user interface, reports and export files.