Vendor Provided Validation Details - Tripwire Enterprise

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Overview

Several of the detailed test requirements described in NIST Interagency Report 7511 Revision 2 pertain to documentation that will be published on the Web by NIST.  This document lists and satisfies those requirements.

Statement of FDCC Compliance

The Tripwire Enterprise (TE) SCAP FDCC Scanner requires firewall configuration changes on target hosts which should not affect their FDCC compliance level, assuming the TE Agent is approved for installation on the target, which would require that these ports are approved to be opened on the target.  Also, the TE SCAP FDCC Scanner is unable to scan settings for an arbitrary user profile due to the way Microsoft Windows operating systems are designed.  The TE SCAP FDCC Scanner runs as a service under the SYSTEM user.  Therefore, all registry assessments for HKEY_CURRENT_USER return ¡°notchecked¡± and should be verified manually.

Tripwire Enterprise automates IT configuration control by combining best-in-class file integrity monitoring with comprehensive policy management to help organizations take control of their entire IT infrastructure. Tripwire Enterprise is an agent-based solution comprised of a server, referred to as the Tripwire Enterprise Console, and an agent, referred to as the Tripwire Enterprise Agent.  Every target on which the TE Agent is installed requires ports 9898 and 8080 to operate correctly.  Port 9898 is used for secure RMI communications from the TE Console to the TE Agent, so an inbound firewall exception should be configured on this port.  Port 8080 is used by the TE Agent to download signed JAR files from the TE Console using standard HTTP, so an output firewall exception should be configured on this port.

Statement of XCCDF Implementation

The Tripwire Enterprise (TE) SCAP FDCC Scanner supports eXtensible Configuration Checklist Description Framework (XCCDF) version 1.1.4 to the extent required of an SCAP-validated tool meeting FDCC Scanner requirements. XCCDF is an XML-format specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for a set of target systems.

Upon importing an FDCC bundle (which contains one XCCDF file), the TE SCAP FDCC Scanner validates the XCCDF file before importing all the concrete profiles it contains. The TE SCAP FDCC Scanner creates Tripwire Enterprise representations of the XCCDF Rules selected by the profiles being imported, and the profiles then become available for association with one or more target hosts. Users are not permitted to associate a profile with a host that does not match the CPE identifier found in the imported benchmark. Once associated, the user is then able to assess a given target system according to the rules selected from the XCCDF benchmark. Scores are calculated using a flat scoring calculation.

Once a system has been assessed, the user may export XCCDF results in the format required by an FDCC Scanner. Upon export, the user is able to load and review the XCCDF results with any software program capable of displaying XML content.

Statement of OVAL Implementation

The Tripwire Enterprise (TE) SCAP FDCC Scanner supports the Open Vulnerability and Assessment Language (OVAL) version 5.3 to the extent required of an SCAP-validated tool meeting FDCC Scanner requirements. OVAL is an information security community standard to promote open and publicly available security content, and to standardize the transfer of this information across security tools and services.

The TE SCAP FDCC Scanner loads OVAL content as provided by an SCAP-expressed FDCC data stream. The OVAL implementation of the TE SCAP FDCC Scanner is limited to those OVAL elements expressed by the FDCC data stream, which represents a strict subset of the available OVAL elements specified in version 5.3. When loaded as part of an SCAP-expressed bundle, the OVAL content is transformed by the TE SCAP FDCC Scanner into a Tripwire Enterprise representation which is then capable of being executed on a given target host.

The TE SCAP FDCC Scanner provides an overview representation of each XCCDF Rule, including the constituent criteria of the appropriate OVAL definition. A comprehensive view of each OVAL definition is available by extracting the OVAL XML file from the imported FDCC bundle, or by exporting the FDCC results, either of which can then be viewed using any software program capable of displaying XML content.

Statement of CCE Implementation

The Tripwire Enterprise (TE) SCAP FDCC Scanner supports Common Configuration Enumeration (CCE) version 5.0 to the extent required of an SCAP-validated tool meeting FDCC Scanner requirements. CCE provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.

The official FDCC data stream contains an XCCDF benchmark file which, in turn, contains specific rules describing the FDCC configuration requirements. These rules contain one or more CCE references. Such references may include CCE version 5.0 and CCE version 4.0 identifiers. When a user imports the FDCC data stream, the TE SCAP FDCC Scanner translates each XCCDF Rule into a Tripwire Enterprise representation for use by the TE SCAP FDCC Scanner. This translation includes the consistent and correct association of CCE references. CCE identifiers (CCE version 5.0 and version 4.0, when available) are displayed for each configuration issue. Users are able to search for a given configuration issue by CCE identifier (i.e. CCE name). Further, CCE references are maintained through the export of FDCC results. Upon export, the user is able to load and review the results (including CCE identifiers) with any software program capable of displaying XML content.

Statement of CPE Implementation

The Tripwire Enterprise (TE) SCAP FDCC Scanner supports Common Platform Enumeration (CPE) version 2.2 to the extent required of an SCAP-validated tool meeting FDCC Scanner requirements. CPE is a structured naming scheme for information technology systems, platforms, and packages. As it relates to the official FDCC data stream, CPE is used to guide the assessment of FDCC configuration specifications.

The Compliance Policy Management feature of Tripwire Enterprise is used to assess the configuration compliance of the hosts it manages. The TE SCAP FDCC Scanner is capable of inspecting such hosts for the exact attributes specified in the fdcc-xxxx-cpe-oval.xml file as referenced by the appropriate fdcc-xxx-cpe-dictionary.xml file as part of the user-imported FDCC data stream published by NIST. The TE SCAP FDCC Scanner uses these attributes to correctly assess associated hosts according to FDCC guidelines. CPE information imported by the TE SCAP FDCC Scanner is carried through to exportable FDCC results. Upon export, the user is able to load and review the results (including CPE identifiers) with any software program capable of displaying XML content.

Statement of SCAP Compliance

The Tripwire Enterprise (TE) SCAP FDCC Scanner supports the Security Content Automation Protocol (SCAP) version 1.0 to the extent required of an SCAP-validated tool meeting FDCC Scanner requirements. SCAP is the coordination of selected standards, each commonly referred to as "SCAP Components," which are used to determine configuration issues, patch levels, and/or the presence of vulnerabilities on a target host. SCAP content consists of machine-readable XML files, commonly referred to as a "bundle" or "data stream," specifying benchmarks and configuration checking logic. SCAP standards include: eXtensible Configuration Checklist Description Format (XCCDF version 1.1.4), Open Vulnerability and Assessment Language (OVAL version 5.3), Common Vulnerability Scoring System (CVSS version 2.0), Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE version 5.0), and Common Platform Enumeration (CPE version 2.2).

The Compliance Policy Management feature of Tripwire Enterprise is used to assess the configuration compliance of the hosts it manages using a specific SCAP data stream: Federal Desktop Core Configuration (FDCC) Version 1.2.1.0. This consists of the ability to import an FDCC bundle, assign the profiles represented in the bundle to one or more nodes (target systems or hosts) managed by Tripwire Enterprise, assess the associated nodes for compliance, view selected facets of the data stream and results in the user interface, and export FDCC-compliant machine-readable results.

Interaction with the TE SCAP FDCC Scanner is carried out via a specific Tripwire Enterprise Home Page Widget. On import, the TE SCAP FDCC Scanner validates the FDCC stream against standard XCCDF and OVAL schemas, and all exported output generated by the TE SCAP FDCC Scanner is similarly validated. At present, the FDCC data stream consists of five SCAP-expressed bundles: Windows XP Firewall, Windows Vista Firewall, Windows XP (operating system), Windows Vista (operating system), and Internet Explorer 7.