VMware vCenter Protect Essentials Government Edition

(with SCAP Processor) v 8.0

 

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

CVE

 

The CVE data specification provides a commonly understood identifier for specific software flaws/vulnerabilities on various technology platforms (e.g., Windows XP or Internet Explorer).  The VMware vCenter Protect Essentials Plus - Configuration Management (SCAP Edition) is the commercial off-the-shelf version of vCenter Protect Essentials Plus - Configuration Management plus a licensable module called the SCAP Processor. The SCAP Processor uses the OVAL patch definitions associated with an SCAP benchmark and their related CVE identifiers to specifically map to patches found or missing.  Assessment for the presence of the required patches in an SCAP benchmark is done using VMware vCenter Protect Essentials.  The absence or presence of a patch then further indicates that CVE-identified vulnerabilities exist or do not exist on the scanned machine.  The patch information also uses the vendor identifiers to the patch to match specific patches to those defined in the associated OVAL file.  Patch scan information is used by the SCAP Processor to assess the presence or absence of software flaws/vulnerabilities.  CVE items associated with these patches are called out in the reporting results in addition to the presence or absence of a patch.

 

Using the combination of configuration checks from VMware vCenter Protect Essentials Plus - Configuration Management (SCAP Edition) and CVE/patch-related results from VMware vCenter Protect Essentials, the full range of configuration requirements in an SCAP data feed (XCCDF benchmark) can be assessed or enforced.  The SCAP Processor then uses the reported results from the VMware vCenter Protect Essentials Plus - Configuration Management and VMware vCenter Protect Essentials target scan to provide in or out of compliance results reported against each item in the SCAP benchmark.

CCE

 

The CCE data specification provides a commonly understood identifier for specific configuration items on various technology platforms (e.g., Windows XP or Internet Explorer).  The VMware vCenter Protect Essentials Plus - Configuration Management (SCAP Edition) is the commercial off-the-shelf version of vCenter Protect Essentials Plus - Configuration Management plus a licensable module called the SCAP Processor. The SCAP Processor uses the SCAP benchmark CCE identifiers to specifically map to existing compliance checks that are part of VMware vCenter Protect Essentials Plus - Configuration Management which then can assess or enforce these items.  Other CCE items included in benchmarks required within SCAP data feeds can be assessed or remediated using one or more “custom” checks built specific to the requirements of the individual CCE item.

 

Using this combination of built-in and custom checks in VMware vCenter Protect Essentials Plus - Configuration Management, the full range of CCE items in an SCAP data feed (XCCDF benchmark) can be assessed or enforced.  The SCAP Processor then uses the reported results from the VMware vCenter Protect Essentials Plus - Configuration Management target scan to provide in or out of compliance results reported against each CCE item in the SCAP benchmark.

CPE

 

The CPE data specification provides a commonly understood identifier for specific technology platforms (e.g., Windows XP or Internet Explorer).  The SCAP Processor uses the SCAP data feed and the included CPE identifiers to map to specific technology platforms.  The platforms and their associated CPE identifiers are specifically referenced within the SCAP data feeds and these identifiers are then used within the SCAP Processor as the means to specifically identify the platforms within assessment results and any SCAP-required reporting details.

 

Using the platform CPE values from within the SCAP data feeds combined with the VMware vCenter Protect Essentials Plus - Configuration Management (SCAP Edition) provides the means to assess platforms correctly and then present proper results for these various platforms as assessed or remediated.  CPE values for assessed or remediated platforms are then included in the reporting results.  Benchmark requirements for specific assessed or remediated items can then be associated with the target, the platform, and specific item within the reported results.

CVSS

 

The CVSS (Common Vulnerability Scoring System) provides a commonly understood open framework to determine the impact and characteristics of vulnerabilities within information technology.  Scores using this methodology are currently only implemented and available for CVE (Common Vulnerability Enumeration) items.  The scores for these specific items can be located at the associated location on the National Vulnerability Database website using the naming scheme for each item such as for the vulnerability with CVE identifier CVE-2008-1436 at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1436.  Using CVE's common identifiers along with the scoring mechanisms for the impact of the vulnerability provides a powerful combination for assessing risks due to the vulnerability.  Even with the CVSS-related values presented for CVE items, other areas of impact including environmental or temporal (time-related) scoring also can be added using the CVSS calculators discussed below.

 

CVSS is currently undergoing development to incorporate scoring for CCE (Common Configuration Enumeration) items.  These are currently not available on the CVSS website, and cannot be searched or looked up similar to the CVE database.  Nonetheless, using similar scoring characteristics to the CVE items, a user can currently compute a CVSS score for a CCE item using one of two calculators available for this purpose at:

http://nvd.nist.gov/cvss.cfm?calculator&version=2

or a more advanced version at:

http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

The calculation requires inputs for a number of metrics tied to three areas: base score, temporal score and environmental score.  These three areas create the final score that is associated with the vulnerability.  This is the scoring approach recommended for CVSS scores required for use with the VMware product.

XCCDF

 

The XCCDF data specification provides the means to represent security checklists or benchmarks in a format that is well-structured and machine readable.  Using this XML data format, the SCAP Processor digests an XCCDF file and creates a policy usable in VMware vCenter Protect Essentials Plus - Configuration Management based on a benchmark within the XCCDF file.  The SCAP Processor uses the configuration identifiers found in the XCCDF benchmarks and maps those to existing built-in compliance checks that are part of the standard vCenter Protect Essentials Plus - Configuration Management product.  vCenter Protect Essentials Plus - Configuration Management then assesses or enforces these items.  Additional items included in benchmarks and required within the SCAP data feeds can be assessed or remediated using custom checks built to the requirements of the individual CCE item.  Generally, the built-in checks use the XCCDF content for configuration into the policy file; the custom checks may require configuration details contained in OVAL files associated with the XCCDF file.   Also, additional items may be included in the benchmark related to patches.  These items are typically included in an associated OVAL file, but results are used in combination with the configuration results to provide the complete benchmark requirements. 

Using this combination of built-in and custom checks in vCenter Protect Essentials Plus - Configuration Management and any additional patch/vulnerability results from vCenter Protect Essentials that are related to the XCCDF benchmark, the full range of configuration/vulnerability items in the XCCDF file can be assessed or remediated.  The SCAP Processor then uses the reported results from the combined vCenter Protect Essentials Plus - Configuration Management and VMware vCenter Protect Essentials target scan to provide in- or out-of-compliance results reported against each configuration/vulnerability item in the SCAP benchmark.  Such reported results can then be output in the XCCDF data format.

OVAL

 

OVAL data is closely inter-related with the XCCDF data specification.  The XCCDF data specification represents security checklists or benchmarks in a format that is well-structured and machine readable.  The OVAL data specification then provides the details or tests to assess the items required within the XCCDF format.  Using these two combined XML data specifications, SCAP Processor digests an XCCDF file combined with the OVAL tests, allows selections of an XCCDF benchmark and creates a policy usable within VMware vCenter Protect Essentials Plus - Configuration Management and, when required by the benchmark, a patch list usable for scanning by VMware vCenter Protect Essentials.  The SCAP Processor uses the configuration identifiers defined within the XCCDF benchmarks combined with the OVAL data as a mapping to existing compliance checks in vCenter Protect Essentials Plus - Configuration Management that can assess or enforce these items.  Additional configuration items included in benchmarks and required within the SCAP data feeds can be assessed or remediated using one or more custom checks built to the requirements of the individual CCE item using the OVAL content as further guidance.  Further, the SCAP Processor uses OVAL data combined with mapping VMware patch data to allow assessment of vulnerabilities or deployment of patches by vCenter Protect Essentials. 

 

The full range of configuration items in the XCCDF file can be assessed or remediated using the combination of built-in and custom checks scanned by vCenter Protect Essentials Plus - Configuration Management as defined by the XCCDF benchmark and as configured based on OVAL content and also using vulnerability/patch-related results from vCenter Protect Essentials.  The SCAP Processor then uses the reported results from the vCenter Protect Essentials Plus - Configuration Management target scan, and if needed, patch assessment results from the vCenter Protect Essentials scan, to provide in- or out- of compliance results reported against each configuration item in the SCAP benchmark.

SCAP

 

The SCAP standard defines the use of a number of standardized data formats that together provide information technology and configuration control assessment capabilities on target platforms.  The standard uses these data formats together as a system that allows for standardized benchmarks or checklists of security configuration requirements.  First, the XCCDF data specification represents security checklists or benchmarks in a format that is well-structured and machine readable.  The OVAL data specification provides details or tests to assess the items required within the XCCDF format.  Using these two XML data formats, the SCAP Processor digests an XCCDF file and creates a policy usable within the VMware vCenter Protect Essentials Plus - Configuration Management product and, when required by the benchmark, a patch list usable for scanning by VMware vCenter Protect Essentials that is based on a selected benchmark from within the XCCDF file.

 

At a more detailed level, the SCAP Processor uses the CCE identifiers found in the XCCDF benchmarks as a mapping to existing compliance checks within vCenter Protect Essentials Plus - Configuration Management which can be assessed or enforced.  In addition, other CCE items included in benchmarks required within the SCAP data feeds can be assessed or remediated using one or more custom checks built to the requirements of the individual CCE item.  Generally, the built-in checks use the XCCDF content for configuration into the policy file and the OVAL file provides additional details needed for these checks; the custom checks typically require further configuration details needed in OVAL files associated with the XCCDF file.  The SCAP Processor also uses the OVAL patch data, combined with a VMware patch mapping, associated with the XCCDF benchmarks, when defined, to construct a patch list for use by vCenter Protect Essentials.

Using this combination of built-in and custom checks in vCenter Protect Essentials Plus - Configuration Management, the full range of CCE items in an SCAP data feed (XCCDF benchmark) can be assessed or remediated on a target scan.  Further, when defined, vCenter Protect Essentials provides scanning for OVAL-defined vulnerabilities/patches that can be assessed or remediated on a target scan.  The SCAP Processor then uses the reported results from the vCenter Protect Essentials Plus - Configuration Management and vCenter Protect Essentials target scan to provide in- or out- of compliance results reported against each CCE item or OVAL vulnerability/patch item associated with the SCAP benchmark.  CVE results are available within the SCAP Processor for patch assessment.  CVSS, the risk scoring system, is available with the use of the web-based calculator to determine scoring of CCE or CVE items.  The final SCAP data standard is the CPE format or platform-based, which provides a common naming scheme used in the output results to identify specific technology platforms assessed within the entire SCAP process against the XCCDF benchmark.