Vendor Provided Validation Details - Policy Auditor 5.0.0
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of FDCC Compliance:
McAfee asserts that Policy Auditor 5.0 does not alter or conflict with the Federal Desktop Core Configuration (FDCC) settings on Microsoft Windows XP and Vista systems. The following ports are used by Policy Auditor 5.0:

Setting	Port
Agent-to-server communication	80 (can be edited)
Agent wake-up communication	8081 (can be edited)
Agent broadcast communication	8082 (can be edited)
Console-to-application server communication	8443 (can be edited)
Sensor-to-server communication	8444 (can be edited)
Security threats communication	8801
SQL server TCP	1443

Statement of SCAP Implementation:
The Security Content Automation Protocol (SCAP) is a collection of six open standards developed jointly by various government organizations and the private sector. Security content conforming to the SCAP standard can be used by any product that supports the standard and the results can be shared between these products.

Policy Auditor provides the ability to detect and assess a single system or thousands of systems from a Policy Auditor Server. This openness and standardization allows regulatory authorities and security administrators to construct more definitive security guidance and to reliably and repeatedly compare results.

McAfee Policy Auditor 5.0 is an enterprise product designed exclusively around SCAP and manages all aspects of analyzing managed systems for compliance. The product provides an implementation for SCAP standards. It uses the eXtensible Configuration Checklist Description Format (XCCDF) and Open Vulnerability and Assessment Language (OVAL) assessment protocols to determine what items to check on a system and how to check them.

McAfee Policy Auditor 5.0 allows users to import and export benchmark and checks that use SCAP. Users can tailor or edit benchmarks within the benchmark user interface and activate them for use when scheduling systems audits. These benchmarks determine whether a system complies with the rules that it contains. Not only do benchmarks determine compliance with its rules, but they also return results that can be converted to a human-readable format.

Benchmarks and checks incorporate Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration(CCE), Common Platform Enumeration (CPE), and Common Vulnerability Scoring System (CVSS) reference protocols to ensure that all rules are accurately and appropriately processed and the results properly shown in reports and export files.

Statement of CVE Implementation:
McAfee Policy Auditor 5.0 implements and supports the Common Vulnerabilities and Exposures (CVE) enumeration which provides standardized references to known vulnerabilities. CVE uses a named list of information security weaknesses providing standardized identifiers to facilitate a universal naming convention.

Policy Auditor 5.0 patch and vulnerability definitions are updated periodically when new content is available. The audit results can be viewed from the Audits, Reports, or Dashboard user interfaces.

CVE information is accessible from the Checks user interface, which displays details of Common Vulnerabilities. Users have the ability to view even more detailed CVE information from the Check Details user interface, which displays the Source, ID, and URL. For example, the URL http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2122 refers the user to the Mitre site to view details about CVE-2005-2122. The security content provided by McAfee refers to CVE identifiers when addressing vulnerabilities and whether a vendor's patch has been applied to address the vulnerability.

Policy Auditor has been certified Mitre as CVE Compatible in previous versions such as Policy Auditor 4.5.

Statement of CCE Implementation:
McAfee Policy Auditor 5.0 incorporates and supports version 5.0 of the Common Configuration Enumeration (CCE) standard for CCEs that have been listed by Mitre.

CCE provides a standard system for identifying and referencing system configuration settings. It identifies the configuration itself, not the mean by which that configuration was reached. CCE encourages interoperability, improves the correlation of test results, and simplifies gathering metrics.

Policy Auditor 5.0 includes CCE references in the checks content. The Checks tab lists all of the checks available to users. Clicking on a check that has CCE content lists CCE references that identify the CCE system configuration settings.

Statement of CPE Implementation:
McAfee Policy Auditor 5.0 implements version 2.1 of the Common Platform Enumeration (CPE) standard. CPE provides a standard reference and notation method for information technology systems, platforms, and packages.

Policy Auditor contains the CPE data dictionary in the database with some of it in aggregated format to promote ease of use. Information from this dictionary is used to drive various aspects of the Policy Auditor user interface. Policy Auditor associates OVAL definitions to CPE Names and allows users to specify CPE names at the benchmark, group, profile, or rule level. Policy Auditor allows users to create audits with SCAP content that covers a number of common Operating Systems and platforms. When CPE platforms are specified, the Policy Auditor agent uses this information to determine whether it should evaluate compliance with a rule or group of rules. For example, an audit may cover both Windows XP and Windows Vista operating systems but not the Windows 2000 operating system. CPE allows Policy Auditor to use the correct content on the correct systems.

Statement of CVSS Implementation:
McAfee Policy Auditor 5.0 incorporates version 2.0 of the Common Vulnerability Scoring System (CVSS). CVSS is a standardized open framework for measuring the impact of vulnerabilities. Each CVE includes an associated CVSS vector for use in determining the relative severity of vulnerabilities. CVSS is built upon a quantitative model that ensures repeatable measurements on systems, valid comparisons between systems, and allows users to view the underlying vulnerability characteristics. Using CVSS scores can help an organization determine and prioritize responses to detected vulnerabilities.

Policy Auditor supports all 4 standard SCAP scoring models: Flat, Flat Unweighted, Absolute, and Default. The default setting for Policy Auditor is a Flat Unweighted Scoring model normalized to a maximum possible score of 100. The scoring model can be changed for comparison purposes.

Statement of XCCDF Implementation:
McAfee Policy Auditor 5.0 provides an implementation of version 1.1.4 of the eXtensible Configuration Checklist Description Format (XCCDF). XCCDF supports the exchange of information, results document generation, tailoring, automated compliance testing, compliance scoring, and provides a data model and format for storing results of benchmark compliance testing. The goal of XCCDF is to provide a uniform standard for the expression of benchmarks and other configuration guidance to encourage good security practices.

Policy Auditor uses benchmarks from McAfee or third-party sources to construct audits. Users can select the benchmark profile, if any, to use for the audit. After a system is audited, the system agent returns the audit results to Policy Auditor, which analyzes and reports on the configuration and vulnerability data. The user can specify how long audit data is retained so that they or auditors can review any changes in the state of a system over time.

Statement of OVAL Implementation:
McAfee Policy Auditor 5.0 implements and supports version 5.3 of the Open Vulnerability and Assessment Language (OVAL). OVAL is an international standard that promotes openly-available security content. It is the common language for security experts to check for the presence of vulnerabilities and configuration issues on computer systems. OVAL provides a structured model for network and system administrators to detect vulnerabilities and configuration issues on managed systems.

Policy Auditor 5.0 uses the Checks user interface to import and export OVAL definitions or other formats supported by XCCDF. These checks can be filtered based on OVAL ID's, platforms, or any other criteria set by the user. The Check Details user interface displays a hyperlink to specific OVAL ID's which will display OVAL in XML format. OVAL provides a structured model for network and system administrators to detect vulnerabilities and configuration issues on managed systems.

When a system is audited, the McAfee agent, which is an OVAL interpreter, processes the OVAL content according to the information in the XCCDF benchmarks contained in the audit. The OVAL content captures the state of the system at the particular point in time that the audit is run. The results are returned to Policy Auditor for analysis and reporting. The user specifies how long audit data is to be retained so that they or auditors can review any changes in the state of a system over time.

Policy Auditor has been certified by Mitre as OVAL Compatible in previous versions such as Policy Auditor 4.5.