Vender Provided
Validation Details - Lumension Security’s PatchLink Security Manager (SCM) for PatchLink
Update V2
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.
Statement of FDCC Implementation
Lumension has provided a statement of changes to the FDCC settings that must be made in order to install and operate the Patch Link SCM.
XP
Select Computer Configuration > Administrative
Templates > Network > Network Connections > Windows
Firewall > Domain Profile/Standard Profiles .
The Standard Profile is enforced for workgroup
members, and the Domain Profile is enforced for domain members. Edit both lists
for consistency.
a) Enable the Windows Firewall: Allow file and
printer sharing exception setting.
b) Disable the Windows Firewall: do not allow
exceptions setting.
c) Enable the Windows
Firewall: Allow remote administration exception setting.
Select Computer Configuration > Administrative
Templates > Network > Network Connections > Windows
Firewall > Domain Profile/Standard Profiles .
The Standard Profile is enforced for workgroup
members, and the Domain Profile is enforced for domain members. Edit both lists
for consistency.
a) Enable the Windows Firewall: Allow file and
printer sharing exception setting.
b) Disable the Windows Firewall: do not allow
exceptions setting.
c) Enable the Windows Firewall: Allow remote
administration exception setting.
d) Enable the Windows Firewall: Allow ICMP
exceptions setting. Deselect all the individual ICMP options with the
exception of the Allow inbound echo request which should be left
enabled.
Statement of
SCAP Implementation
PatchLink SCM is
an open, standards-based solution that enables customers to leverage the wealth
of knowledge and content from leading security think tanks like the National
Institute for Security and Technology’s (NIST) repository, the world’s largest
open repository of vulnerability, patch, and configuration assessments,
dramatically reduce their ‘time to security’, and deliver instant value from
their investment. The best practices content in this repository, created and
approved by the security community, is based upon the SCAP open set of
standards, a combination of six common vulnerability identification standards
including CVE, OVAL, CPE, CCE, XCCDF and CVSS in a future stage.
PatchLink SCM will allow Administrators to upload the
SCAP Archive thru the Configuration Policy Manager Web Page. This page allows the Administrators to select
the desired benchmark and profile for quick assessment. The Configuration Policy Manager also allows
multiple benchmarks to be assigned to a policy for mixed or heterogeneous
environments.
Statement of
CVE Implementation
Common
Vulnerabilities and Exposures (CVE) is a list or dictionary that provides
common identifiers for publicly known information security vulnerabilities and
exposures. Using a common identifier makes it easier to share data across
separate databases and tools that until CVE were not easily integrated.
PatchLink SCM adopts CVE by displaying CVE ID’s for missing security patches or software
vulnerabilities. Users can also select
the CVE ID to hyperlink directly to the public National Vulnerability Database
(NVD) hosted by NIST. The CVE references
can be viewed by navigating to Groups > Compliance Detail > Select a
Device Name that has been scanned > Expand the Benchmark > drill thru the
tree and select the hyperlink of the test to launch the detailed assessment
results page.
Users can also search for CVE ID’s by navigating to
the Vulnerabilities Page and enter the CVE ID in the Name/CVE No search field
to display detail results and to identify additional systems that are
applicable to the software vulnerability.
Statement of
CCE Implementation
The Common
Configuration Enumeration (CCE) provides common identifiers to system
configurations in order to facilitate fast and accurate correlation of
configuration data across multiple information sources and tools. The CCE ID's are included in the SCAP data streams to map security best
practices to computer configurations. PatchLink SCM will display the CCE ID's
after a computer has completed the scan and is hosted in XML format on the SCM
Server for further analysis. CCE ID’s are also available when exporting the scan results.
PatchLink SCM™ is an open, standards-based solution
that enables customers to leverage the wealth of knowledge and content from
leading security think tanks like the National Institute for Security and
Technology’s (NIST) repository, the world’s largest open repository of
vulnerability, patch, and configuration assessments, dramatically reduce their
‘time to security’, and deliver instant value from their investment. The best
practices content in this repository, created and approved by the security community,
is based upon the SCAP open set of standards, a combination of six common
vulnerability identification standards including CVE, OVAL, CPE, CCE, XCCDF and
CVSS.
Statement of
CPE Implementation
The Common Platform
Enumeration (CPE) is a structured naming scheme for information technology
systems, software, and packages. CPE is simply a standards based dictionary of
software product names.
PatchLink SCM
adopts CPE to verify that configuration scans are not conducted on systems that
are not applicable to the Benchmark or Profiles. This allows Administrators to include
security benchmarks that are applicable to Windows 2000, Windows XP, Windows
2003, and Windows Vista systems into a single configuration policy. Administrators can assign this configuration
policy to the built-in Windows System Group which can be cascaded down to child
groups like Windows 2000, Windows XP, Windows 2003, Windows Vista systems. Administrators can easily review the scan
results for each operating system version to get a complete view of their
assessment results. This will ensure no
additional resource overhead will exist on systems being scanned for a
benchmark that is not applicable to that system.
Statement of
CVSS Implementation
The Common
Vulnerability Scoring System (CVSS) is an open standard for assigning scores to
a vulnerability that indicates its relative severity compared to other
vulnerabilities. It offers visibility into how each score was calculated by
revealing the underlying vulnerability characteristics that are inputs to the
score calculation.
PatchLink SCM adopts CVSS by displaying CVE ID’s for missing security patches or software
vulnerabilities. Users can also select
the CVE ID to hyperlink directly to the public National Vulnerability Database
(NVD) hosted by NIST. The CVE references
can be viewed by navigating to Groups > Compliance Detail > Select a
Device Name that has been scanned > Expand the Benchmark > drill thru the
tree and select the hyperlink of the test to launch the detailed assessment
results page. Once the detailed
assessment results page has been launched, users can click on the CVE ID that
will hyperlink to the NVD website where the CVSS severity score is displayed.
Statement of
OVAL Implementation
The Open
Vulnerability and Assessment Language (OVAL) is an open standard XML language
to promote open and publicly available security content, and to standardize the
transfer of this information across the entire spectrum of security tools and
services.
PatchLink SCM uses OVAL during the scan or assessment
for the selected system to evaluate, carry out, and report the results of the
OVAL Definitions for that platform.
The OVAL Definition ID can be retrieved to by navigating to Groups >
Compliance Detail > Select a Device Name that has been scanned > Expand
the Benchmark > Expand the desired check > click on the check name to
display the Detailed Assessment Results Page using the XML View.
The OVAL Test ID can retrieved to by navigating to Groups > Compliance
Detail > Select a Device Name that has been scanned > Expand the
Benchmark > Expand the desired check > click on the check name to display
the Detailed Assessment Results Page using the Table View.
Statement of
XCCDF Implementation
The Extensible Configuration
Checklist Description Format (XCCDF) is a specification language for writing
security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured
collection of security configuration rules for some set of target systems. The
specification is designed to support information interchange, document
generation, organizational and situational tailoring, automated compliance
testing, and compliance scoring.
XCDDF is used by the PatchLink SCM agent that interprets
the checklist, scans the system, and posts the results to the PatchLink SCM Server to collect the results. The results can be viewed by:
Viewing the Compliance Summary View for a high level summary
of the scan results.
·
Viewing
the Compliance Detail View for a detailed and drill-thru view of scan
results.
·
Viewing
the Device Configuration Policies View for a more thorough review of the scan
results which also displays a tree-view detail of each rule or checklist
item.
Configuration
Policy Reports – 5 Canned reports that can be used to
report the results of the scan.