Vendor Provided Validation Details - CA IT Client Manger r12.5

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities:


Statement of FDCC and USGCB Compliance


The CA IT Client Manager product handles both FDCC and USGCB checklists. Where "FDCC scanner" is mentioned, it also refers to the USGCB scanner.


The following settings must be altered on the FDCC or USGCB-compliant machines for CA ITCM to function properly:

        The firewall policy on Windows XP and Windows 7 must be modified to alter the following settings:

       Disable the Do not allow exceptions setting

       Enable the Allow local port exceptions setting and add the following ports to the exception ports on the firewall:

  TCP port 4105

  UDP port 4104

  TCP port 4728

        On Windows 7 machines, UAC must be disabled at the time of installing the FDCC scanner and can be enabled after the installation is complete.

To do this, perform the following steps:

1.      Click Start, Run, and enter gpedit.msc at the Run prompt.

2.      In the Group Policy dialog, locate the policies on the following path: Computer Configuration, Administrative Templates, Network, Network Connections, Windows Firewall, Standard Profile.

3.      Change the "Windows Firewall: Do not allow exceptions" policy setting to Disabled.

4.      Change the "Windows Firewall: Allow local port exceptions" policy setting to Enabled.


The ports described above are used by the internal communications mechanisms of the CA ITCM product, which will not operate unless they can be accessed—agents will be unable to contact their manager or report inventory or status, and control messages will not be passed from the manager to the agent. Communications over these ports is securely encrypted and managed by the CA ITCM product; CA ITCM Release 12.5 uses FIPS-compliant encryption.


Statement of SCAP Implementation

The FDCC scanner provided by CA IT Client Manager is built around Security Content Automation Protocol (SCAP). SCAP is a suite of selected open standards that enumerate software flaws, security-related configuration issues, and product names; measure systems to determine the presence of vulnerabilities; and provide mechanisms to rank (score) the results of these measurements in order to evaluate the impact of the discovered security issues.

CA IT Client Manager implements compliance checking of any SCAP 1.1 data stream written in the XML formats leveraged by the SCAP standard: XCCDF, CCE, CVE, CPE, CVSS and OVAL. The FDCC scanner provided by CA IT Client Manager is implemented as an Asset Management inventory module. The scanner is distributed to all the agents, which then performs the compliance check at the scheduled time and produces the output files required by the specifications. It uses the XCCDF and OVAL assessment protocols to determine what items to check and how to check them. It uses the CPE, CCE, CVSS, and CVE reference protocols to help ensure that all rules are accurately and appropriately reflected in the system. The scanner reports the results to the central management database for inspection, reporting, and querying. The result files are generated for each file in the input SCAP data stream and are stored on the agent computer for verification.


Statement of CVE Implementation

CA IT Client Manager implements the Common Vulnerabilities and Exposures (CVE) standard. CVE is a list or dictionary that provides standard identifiers for publicly known information security vulnerabilities and software flaws. The compliance checking results produced by CA IT Client Manager's FDCC scanner will include the relevant Common Vulnerabilities and Exposures (CVE) ID references in the output for every rule checked, provided such references are included in the checklist definition itself. The CVE information is stored in the patch result XML file generated by the scanner and is available in the agent's working directory for inspection and verification.

In SCAP data streams, OVAL content meant for the detection of applications, patches, or vulnerabilities can contain CVE ID references identifying the exact element in the CVE list that the content is looking for. The FDCC checklists for Windows XP and IE7 contain separate OVAL files dedicated to this purpose and include CVE IDs. The same applies to the USGCB checklists for Windows 7 and IE8.

When processing these SCAP data streams, the OVAL result files generated will also include the CVE ID references for each OVAL definition. Additionally, the inventory data presented for the target system in the product GUI will contain a "Detailed patch results" group where every OVAL definition meant for detecting patches or vulnerabilities has its own subgroup. And this subgroup contains a "CVE References" table wherever the OVAL definition has such references defined in the SCAP data stream itself.


Statement of CCE Implementation

CA IT Client Manager implements the CCE standard. Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. For example, CCE Identifiers can be used to associate checks in configuration assessment tools with statements in configuration best-practice documents.

In an SCAP data stream references to CCE IDs may be present in either the XCCDF file or in OVAL files. In the XCCDF file, the CCE reference will take the form of <ident> tags listing CCE IDs associated with each rule in the list. If the CCE IDs are present in the XCCDF file, the FDCC scanner will include those references for each rule result. This information will be available both in the XCCDF result file produced and in the inventory data sent to the database. The users can view the CCE ID reference in the product GUI.

The OVAL files may contain CCE IDs associated with each OVAL definition. These are contained in <reference> tags. If such references are present they will be included in the OVAL result files produced while processing the OVAL definitions. The name and location of the output files that contain CCE IDs can be viewed from the product GUI.


Statement of CPE Implementation

CA IT Client Manager implements the CPE standard. Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, platforms, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name.

An SCAP data stream may optionally include a CPE dictionary, which maps CPE names to OVAL definitions that test for the presence of the OS or application identified by that CPE name. The FDCC scanner provided by CA IT Client Manager uses this dictionary when the XCCDF file from the data stream contains <platform> tags, which indicate that the XCCDF file requires the presence of the specified CPE name. The XCCDF results files will contain the CPE names in the <platform> tags to indicate a successful platform test for the entire checklist. The name and location of the output files that contain CPE reference information can be viewed from the product GUI.


Statement of CVSS Implementation

CA IT Client Manager implements the CVSS standard. Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model helps ensure repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. Two common uses of CVSS are prioritization of vulnerability remediation activities and in calculating the severity of vulnerabilities discovered on one's systems. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.

For every patch or vulnerability, CVE ID references are provided in the product GUI. The product GUI also provides detailed patch results that contain the CVE URL and the NVD URL. The user can use the URL to visit the NIST's web page for the corresponding CVE ID's entry in their National Vulnerability Database, where the CVSS score and further information about the vulnerability may be found.


Statement of XCCDF Implementation

CA IT Client Manager implements the XCCDF standard. eXtensible Configuration Checklist Description Format (XCCDF) is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring.

The FDCC scanner provided by CA IT Client Manager can read the XCCDF file and scan the target computers based on the rules given in the XCCDF file. The scanner generates an inventory file that contains the results for each rule in the XCCDF file. The information in the inventory file is stored in the centralized management database, which can then be viewed from the product GUI. The XCCDF output file is also stored in the agent's working directory on each agent computer. The results for each rule and the final scores are displayed in the product GUI. The product GUI also displays the name and the location of the XCCDF files processed as input, and the results files produced as output after a compliance check.


Statement of OVAL Implementation

CA IT Client Manager implements the Open Vulnerability and Assessment Language (OVAL) standard. OVAL is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services.

Checklist rule definitions in XCCDF files typically use references to OVAL definitions in OVAL files as the way to indicate how to check a target machine for compliance with the rule. Similarly, CPE Names listed in CPE dictionary also use references to OVAL definitions to specify how to check for the presence of the piece of software indicated by the name. All of the bundled FDCC SCAP data streams contain at least one OVAL file for each of these purposes.

For each evaluated OVAL file, the OVAL interpreter produces an OVAL results file in the agent's working directory. The name and location of all the OVAL files processed as input, and the results files produced as output after a compliance check can be viewed from the product GUI.