VMware VCM SCAP Implementation Statement

SCAP Implementation Statement for the following Capabilities:

FDCC Scanner

USGCB Scanner

Authenticated Configuration Scanner

Authenticated Vulnerability and Patch Scanner


Statement of FDCC/USGCB Implementation

Standardized Windows configurations such as Federal Desktop Core Configuration (FDCC) or United States Government Configuration Baseline (USGCB) include strict security group policy settings. The Windows Firewall: Do not Allow Exceptions group policy configures Windows Firewall to block all unsolicited incoming messages, including configured exceptions. This setting overrides all configured exceptions. For VCM to communicate properly with the VCM Agent on managed machines in strict, secure environments, disable the Windows Firewall: Do not Allow Exceptions group policy on the managed machines. For more information, see support.microsoft.com.


Other than the exception setting on the Agent machine, VCM 5.5 does not require additional changes to FDCC or USGCB. All remaining application configuration requirements reside within the VCM 5.5 core environment for the Collector and the managed machines (which hold the Agent).  


For the VCM 5.5 Collector engine

1. Install the generally available VCM 5.5 core. There is no supplemental or customized Collector installation necessary. 

2. Import the desired content bundles from the NIST site.

3. Run the VCM application with local administrator privileges. 


For the VCM 5.5 Agent engine

1. Install the base VCM 5.5 core Agent.

2. Disable the Windows Firewall: Do not Allow Exceptions group policy.

3. Set the agent protocol to use unencrypted hypertext transfer protocol (HTTP).


Statement of SCAP Implementation

VCM 5.5 supports the SCAP 1.0 protocol stack. SCAP 1.0 is composed of the three enumerations (CPE, CVE, and CCE), two languages (OVAL and XCCDF), and a scoring system (CVSS). The VCM 5.5 product leverages the already collected data that is present in the VCM 5.5 CMDB to match the corresponding CPE, CVE, and CCE settings. By communicating through the XCCDF 1.1.4 and OVAL 5.3 or 5.4 languages, the VCM 5.5 Collector delivers to the VCM 5.5 Agent the necessary instructions to carry out the assessment, which includes evaluations that match the FDCC scanner, United States Government Configuration Baseline (USGCB) scanner, the Authenticated Configuration Scanner, and the Authenticated Vulnerability Patch Scanner. A link to the NVD CVSS scoring system web site is provided in the HTML reporting results, along with all pertinent background information and identifiers for each individual compliance check.   All VCM customers use the VCM 5.5 CMDB for remediation of configuration settings that are out of compliance on the target managed systems. This version of SCAP VCM fully supports the following operating systems: Windows XP, Windows Vista, and Windows 7.



Statement of CVE Implementation 

Common Vulnerability Enumeration (CVE) is an international dictionary of known information about security vulnerabilities and exposures, and free for public use. CVE provides identification and information relevant to these vulnerabilities and exposures, and provides the association to standardized identifiers that security communities at large can use and reference. VCM 5.5 supports the CVE standard in its implementation of SCAP and is compliant with CVE. For available NIST bundles that contain CVE data (for example, USGCB-Windows-7-patches.xml) VCM 5.5 scanning includes the relevant CVE checks and identifiers in the VCM 5.5 user interface. The VCM 5.5 export formats of CSV, HTML, or XML provide a searchable page that can be leveraged to detect CVE misconfigurations or errors, along with helpful links to National Vulnerability Database (NVD) web sites where users can research additional details related to a specific CVE identifier. 


The search engine website for CVE is located at the following URL: http://web.nvd.nist.gov/view/vuln/search


Statement of CCE Implementation  

Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. For example, CCE identifiers can be used to associate checks in configuration assessment tools with statements in configuration best-practice documents. VCM 5.5 supports the current CCE version 5.0 public standard. To implement this support, VCM 5.5 preserves CCE identifiers throughout its processing: from profile selection, to refinable value modification, to OVAL assessment, to XCCDF merge, and finally to user interface rendering. When a misconfiguration or error occurs, the user can see the results in the VCM user interface in order to review the information, make a decision about what the correct information should be, and take the appropriate action. In addition, the VCM 5.5 configuration management database (CMDB) provides visibility into the compliance condition across your enterprise so that you can satisfy any requests from auditors.


Statement of CPE Implementation  

The Common Platform Enumeration (CPE) version 2.2 specification provides a standardized identification process for any hardware, operating system, or application that is present in an enterprise (for example, an operating system such as Windows 7 or an application such as Internet Explorer 8). VCM 5.5 uses the SCAP data feed along with the CPE dictionary and OVAL files to properly match systems to their applicable benchmarks for profile scanning. Leveraging the collected inventory of information stored in the VCM 5.5 CMDB on the VCM 5.5 Collector system reduces the time involved in assessing your environment. The VCM 5.5 engine instantly leverages the VCM 5.5 CMDB knowledge depot to automatically match the applicable benchmarks to the target end node managed machines. The VCM 5.5 agent engine then executes all necessary profile scans in one single job and sends results back to the VCM 5.5 Collector engine for post-processing, which preserves and displays all CPE identifiers in the user interface.


Statement of CVSS Implementation   

The Common Vulnerability Scoring System (CVSS) is designed to provide an open and standardized method for rating information technology vulnerabilities and exposures. CVSS helps organizations prioritize and coordinate a joint response to security issues by communicating the base, temporal, and environmental properties of a given vulnerability. CVSS is an open standard for assigning a score to a vulnerability and that score is an indication of its relative severity compared to other vulnerabilities. VCM 5.5 is compliant with CVSS version 2.0 and uses CVSS in the process of displaying CVE identifiers for security patches that are missing or other software vulnerabilities, as well as providing the already existing CVSS scores that are supplied with available NIST SCAP bundles. VCM 5.5 users also have a hyperlink to the NVD CVSS web site if they want to calculate CVSS scores that apply to their unique environments.  


The CVSS scoring website link is located at the following URL: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2



Statement of OVAL Implementation  

The Open Vulnerability Assessment Language (OVAL) data specification provides the how-to information needed in order to determine compliance against its specifically defined tests. OVAL data is also closely interrelated with the XCCDF data specification. The XCCDF data specification represents security checklists or benchmarks in a format that is well structured and machine readable. The OVAL data specification then provides the details or tests to assess the items required within the XCCDF format. Using these two combined XML data specifications, the VCM 5.5 Collector digests an XCCDF file combined with the OVAL tests, which allows selections of an XCCDF benchmark and renders an abstract policy usable by the VCM 5.5 Agent. The VCM 5.5 Agent uses the configuration identifiers defined within the XCCDF benchmark combined with the OVAL data, using the SCAP OVAL reference architecture (specifically the 5.9.2 OVALDI version) to assess these items. Output from the VCM 5.5 Agent that is consumed by the VCM 5.5 Collector are the oval-results.xml, oval-results.html, and system-characteristics.xml files.   The VCM 5.5 Collector then uses the reported results, <standard>-oval-results.html from the VCM 5.5 Agent target scan to provide in- or out- of compliance results reported against each configuration item in the SCAP benchmark. 


Statement of XCCDF Implementation  

The Extensible Configuration Checklist Description Format (XCCDF) 1.1.4 schema provides the uniform specification means to represent security checklists or benchmarks in a format that is well structured and machine readable. Supporting this XML data format, the VCM 5.5 Collector imports a NIST bundle containing an XCCDF file and extracts all abstract policies along with all corresponding rules (evaluation identifiers) and compliance checks (a separate external variables file) contained in the XCCDF file. The VCM 5.5 Agent, using the SCAP OVAL reference architecture (specially the 5.9.2 OVALDI version) assesses compliance based on the bundle files (fdcc-xp-cpe-oval.xml, fdcc-xp-oval.xml, and fdcc-xp-patches.xml) and leverages the evaluation identifiers and external variables created by the VCM 5.5 Collector. The CCE identifiers are preserved and associated with the incoming results throughout the process.  Using this combination of built-in and custom checks in VCM 5.5 compliance and related to the XCCDF benchmark, the full range of configuration items in the XCCDF file can be assessed for compliance. The VCM 5.5 Collector then uses the reported results from the VCM 5.5 Agent target machine scan to provide in- or out- of compliance results reported against each configuration item in the SCAP benchmark.