Vendor Provided Validation Details - SCAP Compliance Checker 1.0 Beta 1
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of FDCC Compliance:


Statement of SCAP Implementation:
SCAP (Security Content Automation Protocol) is a suite of standards used to determine the presence of vulnerabilities, patches and configuration issues on a target system. SCAP content consists of machine readable XML files that contain configuration data, checklist data and logic used to scan a system. The standards include CVE (Common Vulnerabilities and Exposures), CCE (Common Configuration Enumeration), CPE (Common Platform Enumeration), XCCDF (eXtensible Configuration Checklist Description Format), OVAL (Open Vulnerability and Assessment Language) and CVSS (Common Vulnerability Scoring System).

SCAP Configuration Checker processes SCAP content on a target system and produces HTML reports, XCCDF results and OVAL results. The HTML reports provide benchmark scores and information that a system administrator can use to make the target system more secure. The XCCDF results and OVAL results can be used by other tools in a variety of ways since they are generated using the industry standard XCCDF and OVAL results formats.

SCAP Configuration Checker reads in a SCAP stream which includes XML files written in the XCCDF, OVAL and CPE Dictionary schemas. SCAP Configuration Checker then generates XML results files using the XCCDF and OVAL Results schemas. The HTML reports are generated by transforming the generated XCCDF and OVAL XML Results files into human readable output. This output contains detailed scoring and results information, as well as CVE, CCE and CPE identifiers.

SCAP Configuration Checker also validates SCAP streams against the industry standard XCCDF and OVAL schemas. All output generated by SCAP Configuration Checker is also validated.

SCAP Compliance Checker was designed specifically to process the FDCC SCAP content. This includes the Windows Firewall content (XP and Vista), the Internet Explorer 7 content, and the XP and Vista operating system content.

SCAP Compliance Checker currently implements SCAP version 1.0.

Statement of CVE Implementation:
The CVE standard (Common Vulnerabilities and Exposures) links unique identifiers with known security vulnerabilities and/or exposures. CVE identifiers are typically found in the OVAL patch definition content of a SCAP data stream. An OVAL patch definition may contain a reference element that associates the definition with a CVE identifier. Links to various websites containing more information about the vulnerability and/or exposure may also be provided in the reference element.

When the SCAP Compliance Checker processes a SCAP data stream against a target system, any CVE identifiers associated with entities in the stream will be found and provided in the results HTML files. In the SCAP Compliance Checker results HTML files, CVE identifiers can typically be found in the OVAL results HTML file for the patch content. Detailed information on each definition processed can be found in the Definitions section of the HTML file. For each definition, there is a "References" row that displays any CVE identifiers that are associated with the definition. In addition to the CVE identifier, if a link was available in the OVAL patch definition content then a link will be available in the "References" row as well. This allows the user to gather more information on the vulnerability and/or exposure.

It is important to note that when SCAP Compliance Checker finds a CVE identifier, it automatically creates a link in the "References" row to the NVD database webpage for that particular CVE identifier. This allows the user to determine the impact that a particular CVE has based on CVSS impact metrics. This also allows the user to prioritize different vulnerabilities found by comparing vulnerability scores with each other.


Statement of CCE Implementation:
The CCE standard (Common Configuration Enumeration) links unique identifiers with known system configuration issues.

When the SCAP Compliance Checker processes a SCAP data stream against a target system, any CCE identifiers associated with Rules and/or definitions in the stream will be found and provided in the results HTML files. CCE identifiers are typically found in the OVAL definition content and the XCCDF content of a SCAP data stream. An OVAL definition may contain a reference element that associates the definition with a CCE identifier. A link to the NVD database website containing more information about the system configuration issue may also be provided in the reference element. An XCCDF Rule may contain a ident element that associates the Rule with a CCE identifier. In the SCAP Compliance Checker results HTML files, CCE identifiers can typically be found in the OVAL results HTML files. For OVAL results HTML files, detailed information on each definition processed can be found in the Definitions section of the HTML file. For each definition, there is a "References" row that displays any CCE identifiers that are associated with the definition. In addition to the CCE identifier, if a link was available in the OVAL definition content then a link will be available in the "References" row as well. This allows the user to gather more information on the system configuration issue. In the SCAP Compliance Checker results HTML files, CCE identifiers can typically be found in the XCCDF results HTML file. For XCCDF results HTML files, detailed information on each Rule processed can be found in the Verbose Results section of the HTML file. For each Rule, there is an "Identities" row that displays any CCE identifiers that are associated with the Rule.

SCAP Compliance Checker currently implements CCE version 5.0.


Statement of CPE Implementation:
The CPE standard (Common Platform Enumeration) is a structured naming scheme for hardware, operating systems and applications. It allows different tools to specify names for IT platforms in a consistent way. The XCCDF file included in a typical SCAP data stream contains one or more platform elements. The platform element contains a CPE identifier that associates an XCCDF Benchmark, Rule or Group with a target platform. If the target system is not an instance of the CPE identifier specified in a platform element, then the XCCDF Benchmark, Rule, or Group associated with that platform element is not applicable to the target system and will not be processed.

In order to determine if the target system is an instance of a CPE identifier, SCAP Compliance Checker processes the CPE dictionary and the CPE OVAL content in the SCAP data stream. The CPE dictionary contains one or more CPE identifiers, each associated with an OVAL definition that resides in the CPE OVAL content. If SCAP Compliance Checker processes the OVAL definition and the definition returns a result of "true", then the target system is said to be an instance of the associated CPE identifier. A list of CPE identifiers that the target system is an instance of is compiled in this fashion from the CPE dictionary, then used when processing the XCCDF file. If the CPE identifier specified by a platform element in the XCCDF file is not in the compiled CPE instance list, then the Benchmark, Rule or Group associated with that CPE identifier is not applicable to the target system and will not be processed. Rules that are not applicable to the target system will have a result of "notapplicable".


Statement of CVSS Implementation:
The CVSS standard (Common Vulnerability Scoring System) is a system used to assign scores to vulnerabilities. By assigning a score to a vulnerability, one can determine its relative severity when compared to other vulnerabilities.

SCAP Compliance Checker does not currently support CVSS. We plan on adding support for CVSS in the near future. When support is added, the HTML reports that SCAP Compliance Checker generates will include CVSS scores that will allow an organization to quickly determine the impact of one vulnerability or configuration issue over another. This will allow for prioritization when dealing with vulnerabilities.

At the moment, SCAP Compliance Checker does map CVE identifiers with CVSS impact metrics. In the SCAP Compliance Checker results HTML files, CVE identifiers can typically be found in the OVAL results HTML file for the patch content. Detailed information on each definition processed can be found in the Definitions section of the HTML file. For each definition, there is a "References" row that displays any CVE identifiers that are associated with the definition. Each CVE identifer will have a link to the NVD database webpage for that CVE. This allows the user to determine the impact that a particular CVE has based on CVSS impact metrics. This also allows the user to prioritize different vulnerabilities found by comparing vulnerability scores with each other.

SCAP Compliance Checker will support CVSS in a future version.


Statement of XCCDF Implementation:
XCCDF (Extensible Configuration Checklist Description Format) is a language used for writing security checklists and benchmarks. SCAP Compliance Checker loads XCCDF content from a SCAP stream and determines if the Rules specified by the XCCDF content are satisfied by a target system.

SCAP Compliance Checker validates XCCDF content, imports it and allows the user to select a profile from the content. Rules are automatically selected and unselected based on the profile the user selects.

The SCAP stream's CPE dictionary and its associated OVAL definitions are then processed to determine which XCCDF Rules are applicable to the target system. Rules that are found to be inapplicable to the target system based on CPE identifiers are automatically unselected.

SCAP Compliance Checker then traverses the XCCDF content, processing all selected XCCDF Rules against a target system. Scores are calculated using all of the current XCCDF scoring models including the default, flat, flat unweighted and absolute models.

A benchmark results XML document is generated using the XCCDF Results schema. This results file is then transformed into an HTML report, along with more in depth reports generated from the SCAP stream's OVAL content. The benchmark results XML document can be imported into other tools since it uses the industry standard XCCDF Results schema.

SCAP Compliance Checker currently implements XCCDF version 1.1.4.


Statement of OVAL Implementation:
OVAL (Open Vulnerability and Assessment Language) is a language used to standardize the transfer of security content among different tools. SCAP Compliance Checker loads OVAL content in conjunction with an XCCDF checklist and processes the OVAL definition content against a target system.

SCAP Compliance Checker is able to process all four of OVAL's schemas: the Definitions schema, the System Characteristics schema, the Results schema and the Variables schema.

The Definitions schema is used to define definitions that test a machine's state. This schema is used in SCAP streams to specify patch, vulnerability and configuration content. SCAP Compliance Checker imports OVAL Definitions files and processes the OVAL definitions against a target system.

The System Characteristics schema is used to store data collected from a system. SCAP Compliance Checker uses Object data from OVAL Definitions content and generates System Characteristics data that is later used for testing purposes. This data is stored in an XML file using the OVAL System Characteristics schema.

The Results schema takes State data from OVAL Definitions content along with System Characteristics data and produces Definition and Test results. These results are stored in an XML file that follows the OVAL Results schema. SCAP Compliance Checker then transforms this XML file and produces human readable HTML report documents.

The Variables schema is used to import external variable data into the OVAL engine during processing of an OVAL definition. SCAP Compliance Checker processes the XCCDF content of a SCAP stream and extracts any variables that need to be imported into the OVAL engine. It then creates an XML file using the OVAL Variables schema that contains these variables. The OVAL engine later uses this file during OVAL processing.

By using the industry standard OVAL schemas, SCAP Compliance Checker can share data with any tool that understands OVAL.

SCAP Compliance Checker currently implements OVAL version 5.4.