Vendor Provided Validation Details - Shavlik Security Suite: Shavlik NetChk Configure (with SCAP Processor), Government Edition v.4.2.0 and Shavlik Security Suite: Shavlik NetChk Protect (with SCAP Processor), Government Edition v7.6.0

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

SCAP

The SCAP standard defines the use of a number of standardized data formats that together provide information technology and configuration control assessment capabilities on target platforms.  The standard uses these data formats together as a system that allows for standardized benchmarks or checklists of security configuration requirements.  First, the XCCDF data specification represents security checklists or benchmarks in a format that is well-structured and machine readable.  The OVAL data specification provides details or tests to assess the items required within the XCCDF format.  Using these two XML data formats, the Shavlik NetChk SCAP Processor digests an XCCDF file and creates a policy usable within the Shavlik NetChk Configure product and, when required by the benchmark, a patch list usable for scanning by Shavlik NetChk Protect that are based on a selected benchmark from within the XCCDF file.

At a more detailed level, the NetChk SCAP Processor uses the CCE identifiers found in the XCCDF benchmarks as a mapping to existing compliance checks within NetChk Configure which can be assessed or enforced.  In addition, other CCE items included in benchmarks required within the SCAP data feeds can be assessed or remediated using one or more custom checks built to the requirements of the individual CCE item.  Generally, the built-in checks use the XCCDF content for configuration into the policy file and the OVAL file provides additional details needed for these checks; the custom checks typically require further configuration details needed in OVAL files associated with the XCCDF file.  The NetChk SCAP Processor also uses the OVAL patch data, combined with a Shavlik patch mapping, associated with the XCCDF benchmarks, when defined, to construct a patch list for use by NetChk Protect.

Using this combination of built-in and custom checks in NetChk Configure, the full range of CCE items in an SCAP data feed (XCCDF benchmark) can be assessed or remediated on a target scan.  Further, when defined, NetChk Protect provides scanning for OVAL-defined vulnerabilities/patches that can be assessed or remediated on a target scan.  The NetChk SCAP Processor then uses the reported results from the NetChk Configure and NetChk Protect target scan to provide in- or out- of compliance results reported against each CCE item or OVAL vulnerability/patch item associated with the SCAP benchmark.  CVE results are available within the NetChk SCAP Processor for patch assessment.  CVSS, the risk scoring system, is available with the use of the web-based calculator to determine scoring of CCE or CVE items.  The final SCAP data standard is the CPE format or platform-based, which provides a common naming scheme used in the output results to identify specific technology platforms assessed within the entire SCAP process against the XCCDF benchmark.

CVE

The CVE data specification provides a commonly understood identifier for specific software flaws/vulnerabilities on various technology platforms (e.g., Windows XP or Internet Explorer).  The Shavlik NetChk Configure SCAP Edition is the commercial off-the-shelf version of NetChk Configure plus a licensable module called the Shavlik NetChk SCAP Processor. The NetChk SCAP Processor uses the OVAL patch definitions associated with an SCAP benchmark and their related CVE identifiers to specifically map to patches found or missing.  Assessment for the presence of the required patches in an SCAP benchmark is done using Shavlik NetChk Protect.  The absence or presence of a patch then further indicates that CVE-identified vulnerabilities exist or do not exist on the scanned machine.  The patch information also uses the vendor identifiers to the patch to match specific patches to those defined in the associated OVAL file.  Patch scan information is used by the NetChk SCAP Processor to assess the presence or absence of software flaws/vulnerabilities.  CVE items associated with these patches are called out in the reporting results in addition to the presence or absence of a patch.

Using the combination of configuration checks from Shavlik NetChk Configure SCAP Edition and CVE/patch-related results from Shavlik NetChk Protect, the full range of configuration requirements in an SCAP data feed (XCCDF benchmark) can be assessed or enforced.  The Shavlik NetChk SCAP Processor then uses the reported results from the Shavlik NetChk Configure and Shavlik NetChk Protect target scan to provide in or out of compliance results reported against each item in the SCAP benchmark.

CCE

The CCE data specification provides a commonly understood identifier for specific configuration items on various technology platforms (e.g., Windows XP or Internet Explorer).  The Shavlik NetChk Configure SCAP Edition is the commercial off-the-shelf version of NetChk Configure plus a licensable module called the NetChk SCAP Processor. The NetChk SCAP Processor uses the SCAP benchmark CCE identifiers to specifically map to existing compliance checks that are part of Shavlik NetChk Configure which then can assess or enforce these items.  Other CCE items included in benchmarks required within SCAP data feeds can be assessed or remediated using one or more custom checks built specific to the requirements of the individual CCE item.

Using this combination of built-in and custom checks in Shavlik NetChk Configure, the full range of CCE items in an SCAP data feed (XCCDF benchmark) can be assessed or enforced.  The Shavlik NetChk SCAP Processor then uses the reported results from the Shavlik NetChk Configure target scan to provide in or out of compliance results reported against each CCE item in the SCAP benchmark.

CPE

The CPE data specification provides a commonly understood identifier for specific technology platforms (e.g., Windows XP or Internet Explorer).  The Shavlik NetChk SCAP Processor uses the SCAP data feed and the included CPE identifiers to map to specific technology platforms.  The platforms and their associated CPE identifiers are specifically referenced within the SCAP data feeds and these identifiers are then used within the Shavlik NetChk SCAP Processor as the means to specifically identify the platforms within assessment results and any SCAP-required reporting details.

Using the platform CPE values from within the SCAP data feeds combined with the Shavlik NetChk Configure SCAP Edition provides the means to assess platforms correctly and then present proper results for these various platforms as assessed or remediated.  CPE values for assessed or remediated platforms are then included in the reporting results.  Benchmark requirements for specific assessed or remediated items can then be associated with the target, the platform, and specific item within the reported results.

CVSS

The CVSS (Common Vulnerability Scoring System) provides a commonly understood open framework to determine the impact and characteristics of vulnerabilities within information technology.  Scores using this methodology are currently only implemented and available for CVE (Common Vulnerability Enumeration) items.  The scores for these specific items can be located at the associated location on the National Vulnerability Database website using the naming scheme for each item such as for the vulnerability with CVE identifier CVE-2008-1436 at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1436.  Using CVE's common identifiers along with the scoring mechanisms for the impact of the vulnerability provides a powerful combination for assessing risks due to the vulnerability.  Even with the CVSS-related values presented for CVE items, other areas of impact including environmental or temporal (time-related) scoring also can be added using the CVSS calculators discussed below.

CVSS is currently undergoing development to incorporate scoring for CCE (Common Configuration Enumeration) items.  These are currently not available on the CVSS website, and cannot be searched or looked up similar to the CVE database.  Nonetheless, using similar scoring characteristics to the CVE items, a user can currently compute a CVSS score for a CCE item using one of two calculators available for this purpose at:

http://nvd.nist.gov/cvss.cfm?calculator&version=2

or a more advanced version at:

http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

The calculation requires inputs for a number of metrics tied to three areas: base score, temporal score and environmental score.  These three areas create the final score that is associated with the vulnerability.  This is the scoring approach recommended for CVSS scores required for use with the Shavlik product.

XCCDF

The XCCDF data specification provides the means to represent security checklists or benchmarks in a format that is well-structured and machine readable.  Using this XML data format, the Shavlik NetChk SCAP Processor digests an XCCDF file and creates a policy usable in Shavlik NetChk Configure based on a benchmark within the XCCDF file.  The NetChk SCAP Processor uses the configuration identifiers found in the XCCDF benchmarks and maps those to existing built-in compliance checks that are part of the standard NetChk Configure product.  NetChk Configure then assesses or enforces these items.  Additional items included in benchmarks and required within the SCAP data feeds can be assessed or remediated using custom checks built to the requirements of the individual CCE item.  Generally, the built-in checks use the XCCDF content for configuration into the policy file; the custom checks may require configuration details contained in OVAL files associated with the XCCDF file.   Also, additional items may be included in the benchmark related to patches.  These items are typically included in an associated OVAL file, but results are used in combination with the configuration results to provide the complete benchmark requirements. 

Using this combination of built-in and custom checks in NetChk Configure and any additional patch/vulnerability results from NetChk Protect that are related to the XCCDF benchmark, the full range of configuration/vulnerability items in the XCCDF file can be assessed or remediated.  The NetChk SCAP Processor then uses the reported results from the combined NetChk Configure and Shavlik NetChk Protect target scan to provide in- or out-of-compliance results reported against each configuration/vulnerability item in the SCAP benchmark.  Such reported results can then be output in the XCCDF data format.

OVAL

OVAL data is closely inter-related with the XCCDF data specification.  The XCCDF data specification represents security checklists or benchmarks in a format that is well-structured and machine readable.  The OVAL data specification then provides the details or tests to assess the items required within the XCCDF format.  Using these two combined XML data specifications, Shavlik NetChk SCAP Processor digests an XCCDF file combined with the OVAL tests, allows selections of an XCCDF benchmark and creates a policy usable within Shavlik NetChk Configure and, when required by the benchmark, a patch list usable for scanning by Shavlik NetChk Protect.  The NetChk SCAP Processor uses the configuration identifiers defined within the XCCDF benchmarks combined with the OVAL data as a mapping to existing compliance checks in NetChk Configure that can assess or enforce these items.  Additional configuration items included in benchmarks and required within the SCAP data feeds can be assessed or remediated using one or more custom checks built built to the requirements of the individual CCE item using the OVAL content as further guidance.  Further, the NetChk SCAP Processor uses OVAL data combined with mapping Shavlik patch data to allow assessment of vulnerabilities or deployment of patches by NetChk Protect. 

The full range of configuration items in the XCCDF file can be assessed or remediated using the combination of built-in and custom checks scanned by NetChk Configure as defined by the XCCDF benchmark and as configured based on OVAL content and also using vulnerability/patch-related results from NetChk Protect.  The NetChk SCAP Processor then uses the reported results from the NetChk Configure target scan, and if needed, patch assessment results from the NetChk Protect scan, to provide in- or out- of compliance results reported against each configuration item in the SCAP benchmark.

SCAP

The SCAP standard defines the use of a number of standardized data formats that together provide information technology and configuration control assessment capabilities on target platforms.  The standard uses these data formats together as a system that allows for standardized benchmarks or checklists of security configuration requirements.  First, the XCCDF data specification represents security checklists or benchmarks in a format that is well-structured and machine readable.  The OVAL data specification provides details or tests to assess the items required within the XCCDF format.  Using these two XML data formats, the Shavlik NetChk SCAP Processor digests an XCCDF file and creates a policy usable within the Shavlik NetChk Configure product and, when required by the benchmark, a patch list usable for scanning by Shavlik NetChk Protect that are based on a selected benchmark from within the XCCDF file.

At a more detailed level, the NetChk SCAP Processor uses the CCE identifiers found in the XCCDF benchmarks as a mapping to existing compliance checks within NetChk Configure which can be assessed or enforced.  In addition, other CCE items included in benchmarks required within the SCAP data feeds can be assessed or remediated using one or more custom checks built to the requirements of the individual CCE item.  Generally, the built-in checks use the XCCDF content for configuration into the policy file and the OVAL file provides additional details needed for these checks; the custom checks typically require further configuration details needed in OVAL files associated with the XCCDF file.  The NetChk SCAP Processor also uses the OVAL patch data, combined with a Shavlik patch mapping, associated with the XCCDF benchmarks, when defined, to construct a patch list for use by NetChk Protect.

Using this combination of built-in and custom checks in NetChk Configure, the full range of CCE items in an SCAP data feed (XCCDF benchmark) can be assessed or remediated on a target scan.  Further, when defined, NetChk Protect provides scanning for OVAL-defined vulnerabilities/patches that can be assessed or remediated on a target scan.  The NetChk SCAP Processor then uses the reported results from the NetChk Configure and NetChk Protect target scan to provide in- or out- of compliance results reported against each CCE item or OVAL vulnerability/patch item associated with the SCAP benchmark.  CVE results are available within the NetChk SCAP Processor for patch assessment.  CVSS, the risk scoring system, is available with the use of the web-based calculator to determine scoring of CCE or CVE items.  The final SCAP data standard is the CPE format or platform-based, which provides a common naming scheme used in the output results to identify specific technology platforms assessed within the entire SCAP process against the XCCDF benchmark.