Vender Provided Validation Details – Symantec¡¯s Control Compliance Suite Federal Toolkit, version 10.5

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of SCAP Implementation:

The Symantec Control Compliance Suite (CCS) is a fully automated enterprise solution designed to manage all aspects of IT risk and compliance at lower levels of cost and complexity.

The Security Content Automation Protocol (SCAP) is a suite of specifications whose combined use allows for a standardized and automatable format that all security products can communicate and share. The SCAP 1.0 specification is made up of six component specifications; eXtensible Configuration Checklist Description Format v1.1.4 (XCCDF), Open Vulnerability and Assessment Language v5.3 (OVAL), Common Platform Enumeration v2.2 (CPE), Common Configuration Enumeration v5 (CCE), Common Vulnerabilities and Exposures (CVE), and Common Vulnerability Scoring System v2 (CVSS). The Federal Desktop Core Configuration (FDCC) is an example of the SCAP specification in action and is a collection of SCAP data streams that contain security configurations that are mandated and enforced across all U.S. Federal Agencies.

The Symantec CCS Standards Module now includes a validated SCAP v1.0 component. CCS allows users to import valid SCAP v1.0 data stream content, evaluate applicable target assets, and report the results of those evaluations using the standardized XCCDF and OVAL XML results formats. In addition to the standard XML results, CCS also displays rich evaluation details and dashboards within the interface that go beyond the SCAP product requirements and allow users to track and manage all of the assets in their environment.

The CCS SCAP component includes a full featured workflow process around system exceptions that also includes specific support for FDCC exceptions (XCCDF overrides). The exception workflow includes the ability to define exception lists that can apply to one or more systems and one or more system checks. Exceptions can be defined to change the resulting values of checks or they can be defined to leave the values unchanged but provide justification for the result. In addition to all of this, the exception workflow includes a review and approval process to ensure that exceptions are managed appropriately across the environment.

The CCS SCAP component supports the following SCAP-defined Capabilities; FDCC Scanner, Authenticated Configuration Scanner, and Authenticated Vulnerability and Patch Scanner.

Statement of OVAL Implementation:

OVAL v5.3 (Open Vulnerability and Assessment Language) is a standardized language for storing computer configuration data, defining computer configuration analysis or checks, and reporting on the results of an analysis or check. OVAL is maintained and hosted by The MITRE Corporation (http://oval.mitre.org). The SCAP v1.0 specification requires that an SCAP compliance configuration benchmark use OVAL for both compliance definitions as well the inventory checks within a CPE OVAL file. An SCAP compliance configuration benchmark may also contain a third OVAL Patch file that evaluates an asset for patch compliance. OVAL files can also be used to evaluate an asset independently and without the need for an SCAP data stream.

CCS supports both OVAL v5.3 as part of an SCAP v1.0 data stream, as well as stand-alone OVAL v5.3 definitions. CCS provides full support for OVAL definitions on Microsoft Windows XP and Vista systems (with additional platform support in future CCS releases). When importing SCAP data streams or stand-alone OVAL definition documents, the OVAL definition document(s) is validated against the official OVAL definition schema and schematron. Any errors in the validation process are reported to the user. After an SCAP data stream or stand-alone OVAL evaluation, CCS allows a user to export OVAL Thin or Full results.

Statement of XCCDF Implementation:

XCCDF v1.1.4 (eXtensible Configuration Checklist Description Format) is an XML specification and language that provides a common framework for developing security checklists, benchmarks, and other similar documents. The XCCDF specification and language (http://scap.nist.gov/specifications/xccdf) is maintained and hosted by the National Institute of Standards and Technology (NIST). The SCAP v1.0 specification requires that an SCAP compliance configuration benchmark use an XCCDF document to define the checklist or benchmark of an SCAP data stream.

CCS supports XCCDF v1.1.4 as part of an SCAP v1.0 data stream. The XCCDF and its contents form the basis upon which most of the CCS user experience is drawn from. When importing an SCAP data stream, the XCCDF document is validated against the official XCCDF schema and any errors in this process are reported to the user. XCCDF Profiles (a named tailoring of a benchmark and its Rules) are fully supported by CCS. When an XCCDF benchmark contains multiple profiles, all of the document¡¯s non-abstract profiles are imported at once and each can be selected and evaluated individually by the CCS user. After an SCAP data stream evaluation, CCS allows a user to export standard XCCDF as well as FDCC XCCDF results on demand.

Statement of CVSS Implementation:

CVSS v2 (Common Vulnerability Scoring System) is a standard defined by the Forum of Incident Response and Security Teams (FIRST) that defines methods for scoring and rating computer vulnerabilities (http://www.first.org/cvss). The National Vulnerability Database (NVD) defines and publishes CVSS base scores and vector strings for most known vulnerabilities. NVD publishes vulnerability summaries that provide detailed information that includes the CVSS base score and vector strings. These vulnerability summaries can be accessed using the CVE (Common Vulnerabilities and Exposures) identifier for a given vulnerability. NVD also regularly publishes NVD/CVE XML 2.0 data feeds that store similar information but in a schema-defined and machine-readable format.

CCS provides a link to NVD vulnerability summaries by way of the CVE identifier within the evaluation details of any SCAP evaluation. In addition, CCS provides the ability to import NVD/CVE XML 2.0 data feeds. This allows CCS users to store the CVSS base score and vector string data within the CCS database for later local access.

Statement of CPE Implementation:

Common Platform Enumeration v2.2 (CPE) is a combination of schemas and formats designed to provide a common naming scheme for computer systems, network devices, and software. CPE is maintained and hosted by The MITRE Corporation (http://cpe.mitre.org). The SCAP v1.0 specification requires that an SCAP compliance configuration benchmark contain a reference to applicable CPE names within the XCCDF benchmark, a CPE dictionary file that supports the referenced CPE names, and a CPE OVAL file that contains all necessary low-level OVAL inventory definitions to determine target applicability.

CCS includes support for CPE v2.2 as part of an SCAP v1.0 data stream. CCS supports the CPE naming scheme within imported SCAP data streams by identifying assets that are applicable to the SCAP data stream. CCS uses the SCAP data stream-provided CPE OVAL definitions to target and evaluate only those assets that are applicable to the SCAP data stream as defined the SCAP data stream author. The CPE name is also viewable within the main CCS SCAP interface and within all of the SCAP XML results files.

Statement of CCE Implementation:

Common Configuration Enumeration v5 (CCE) is a standard that defines a common identification for computer security configuration issues and exposures and is maintained and hosted by The MITRE Corporation (http://cce.mitre.org). MITRE regularly updates the official CCE list in an XML format from the CCE page. The MITRE-provided CCE list provides all currently identified CCE identifiers, a description, and references for more information.

CCS provides the CCE identifiers referenced by the imported SCAP data stream or stand-alone OVAL content within the evaluation details of an SCAP or OVAL evaluation. The CCS SCAP evaluation details interface allows the user to search asset or evaluation results using specific CCE identifiers. In addition, CCS provides the ability to import the official CCE v5 XML list provided by MITRE. This allows CCS users to store the details of a CCE within the CCS database for later local access. After an evaluation, the standard XCCDF results documents are exportable for all applicable assets and these documents will contain the CCE identifiers within the TestResults section of the XCCDF results document. Finally, an FDCC specific (human-readable output) as required by the FDCC program allows for the user to export a simple two column CSV formatted file that displays all of the CCE identifiers followed by their evaluation result.

Statement of CVE Implementation:

Common Vulnerabilities and Exposures (CVE) is a standard that defines a common identification and dictionary for computer and information security vulnerabilities and is maintained and hosted by The MITRE Corporation (http://cve.mitre.org). The National Vulnerability Database (NVD) publishes vulnerability summaries that provide detailed information for most known computer and information security vulnerabilities. These vulnerability summaries can be accessed using the CVE (Common Vulnerabilities and Exposures) identifier for a given vulnerability. NVD also regularly publishes NVD/CVE XML 2.0 data feeds that store similar information but in a schema-defined and machine-readable format.

CCS provides the CVE identifiers referenced by imported SCAP data stream or stand-alone OVAL within the evaluation details of an SCAP or OVAL evaluation. Also within the evaluation details, CCS provides a link to NVD vulnerability summaries by way of the CVE identifier. The CCS SCAP data stream evaluation details allow the user to search asset or evaluation results for specific CVE identifiers. In addition, CCS provides the ability to import NVD/CVE XML 2.0 data feeds. This allows CCS users to store the details of a CVE within the CCS database for later local access.

Statement of FDCC Implementation:

The Symantec Control Compliance Suite (CCS) requires that some FDCC-defined settings be changed from their fully FDCC compliant configuration in order to properly evaluate and assess a target system.

Both Windows XP and Vista systems must have their firewalls configured to allow communication using the standard remote administration ports and programs. For the Windows XP and Vista firewalls, this can be easily accomplished using Windows Group Policy and setting ¡°Windows Firewall: Do not allow exceptions¡± to Disabled and ¡°Windows Firewall: Allow remote administration exception¡± to Enabled. For greater security, the latter exception should be defined with the IP address or addresses of the Symantec RMS Query Engines that will collect data from the target systems.

Windows XP and Vista targets that are not part of a domain and reside within a workgroup environment require that the security option setting ¡°Network security: LAN Manager authentication level¡± be changed from ¡°Send NTLMv2 Response Only\Refuse LM & NTLM¡± to ¡°Send NTLMv2 Response Only\Refuse LM¡±. This allows for NTLM authentication outside of a domain environment.

Windows Vista systems residing outside of a domain by default cannot be remotely administered because of User Account Control (UAC) remote restrictions. The registry DWORD value ¡°HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy¡± must be created with a value of ¡°1¡±. For more information on this setting see http://support.microsoft.com/kb/951016 and http://support.microsoft.com/kb/942817.¡±