Vendor Provided Validation Details - SAINT 7.10
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.
Statement of SCAP Implementation:
SAINT provides support to The Security Content Automation Protocol (SCAP) specification, as an Unauthenticated Vulnerability Scanner; Authenticated Vulnerability and Patch Scanner; Federal Desktop Core Configuration (FDCC) Scanner; United States Government Configuration Baseline (USGCB) scanner; and Authenticated Configuration Scanner. SAINT provides support to SCAP requirements defined for each of these components, as defined in SP 800-126, the SCAP specification, and verified by compliance testing against the Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements for these capabilities.
SAINT provides support for open standards languages, enumerations and metrics that currently include XCCDF, OVAL, CCE, CPE, CVE and CVSS in the specification. SAINT also provides support for the Federal Desktop Core Configuration (FDCC) configuration and policy; and the U.S. Government Configuration Baseline (USGCB) by ingesting valid SCAP-expressed data streams and assessing target configurations against these baselines. SAINT also provides support for evaluating SCAP content to scan for compliance, vulnerabilities, and patches using both standalone OVAL definition files and OVAL definitions contained in SCAP-expressed data streams.
SAINT completes this capability by providing data analysis, links to external authoritative sources of information, policy editing and reporting interfaces, to facilitate local policy investigation and analysis, as well as compliance reporting in canned and custom presentation of output in machine-readable and many human-readable formats, such as HTML, PDF, XML and CSV.
Statement of FDCC Implementation:
SAINT Corporation asserts that the SAINT vulnerability scanning product, version 7.10, is fully functional and operates correctly as intended on systems using the Federal Desktop Core Configuration ( FDCC), and does not require a change to FDCC settings in order to install and operate in accordance with SCAP specifications; to run a scan, the targets must meet only the requirements for running a normal SAINT authenticated scan. Targets can be scanned for FDCC compliance by importing the desired FDCC SCAP Data Stream, containing XCCDF and OVAL document formats, and selecting it when choosing a scan policy to run. FDCC scans make use of CCE to make tracking found configuration issues easy. SAINT produces multiple reports in both the required formats for SCAP and some non-required formats for data analysis. The reports are viewable in SAINT¡¯s SCAP Data section of the GUI, and can also be bundled up and downloaded for transportation or performing backups.
Statement of USGCB Implementation:
SAINT Corporation asserts that the SAINT vulnerability scanning product, version 7.10, is fully functional and operates correctly as intended on systems using the U.S. Government Configuration Benchmark (USGCB), and does not require a change to USGCB settings in order to install and operate in accordance with SCAP specifications; to run a scan, the targets must meet only the requirements for running a normal SAINT authenticated scan. Targets can be scanned for USGCB compliance by importing the desired USGCB SCAP Data Stream, containing XCCDF and OVAL document formats, and selecting it when choosing a scan policy to run. USGCB scans make use of CCE to make tracking found configuration issues easy. SAINT produces multiple reports in both the required formats for SCAP and some non-required formats for data analysis. The reports are viewable in SAINT¡¯s SCAP Data section of the GUI, and can also be bundled up and downloaded for transportation or performing backups.
Statement of CVE Implementation:
CVE (Common Vulnerabilities and Exposures) is a dictionary of publicly known information security vulnerabilities and other information security exposures. SAINT provides support for CVE with the capability to execute vulnerability scans for vulnerabilities, by CVE ID. SAINT returns all vulnerability checks which detect the CVE and includes CVE numbers in its vulnerability data analysis, reports and tutorials for ease of reference to related tools and resources. At the conclusion of vulnerability scan execution, SAINT provides users with the capability to view the list of vulnerabilities, and continue their analysis by supporting customized scanning by selected CVE for a given vulnerability or by selecting other categories or values relevant to the analysis.
SAINTwriter then provides the capability to produce report output containing CVE ID¡¯s, in a number of formats, such as HTML, XML and CSV. SAINT also provides hyperlinks to related resources, such as the SAINT on-line CVE Index, that includes the CVE ID, Description and custom SAINT tutorials; as well as links directly to the official CVEs descriptions at http://cve.mitre.org to facilitate further analysis, assessment and remediation.
Statement of CCE Implementation:
Common Configuration Enumeration (CCE) is a dictionary of names for software security configuration issues (e.g., access control settings, password policy settings). As such, CCE¡¯s describe system configuration issues to facilitate correlation of configuration data across multiple information sources and tools. SAINT provides support for CCE¡¯s by displaying CCE ID¡¯s, in accordance with the specifications and CCE 5.0 schema located at http://cce.mitre.org for each configuration item in scanning results produced for XCCDF scanning policies and profiles. SAINT also provides data drill-down and report configuration options that include displaying CCE ID and Descriptions. CCE ID¡¯s are displayed in several of the different reports offered via the Data Analysis -> SCAP Results page. These include the required output format which is just ¡°CCE ID, pass/fail,¡± and a detail format which organizes results by XCCDF Groups and displays results for each XCCDF Rule giving the user CCE ID¡¯s, CCE descriptions, whether or not the CCE passed/failed against the target system, and why the CCE passed/failed against the target system. SAINT provides a policy editor which also allows users to disable and enable configuration checks by CCE to meet specific network requirements.
of CPE Implementation:
CPE (Common Platform Enumeration) is a structured naming scheme for information technology systems, software, and packages. SAINT provides support for CPE by using the CPE names which are defined in the official CPE dictionary at http://nvd.nist.gov/cpe.cfm , then mapping all known CVE(s) to the corresponding CPE(s) for a given year. SAINT also facilitates CPE content updates directly from the authoritative source, as a product feature, to remove the burden of data maintenance from the user, and to ensure accurate and complete source data when CPE data is used. This CVE-CPE mapping is used within SAINTwriter as an available option in custom reports.
Custom reporting features within SAINTwriter enables users to select all vulnerabilities in a given severity level, as well as define report parameters and options related to specific vulnerability categories and services, such as CPE to display the CPE entries corresponding to displayed vulnerability, if any. SAINTwriter then enables users to select their output format from a number of available formats, such as HTML, XML and CSV.
of CVSS Implementation:
CVSS (Common Vulnerability Scoring System) is ¡°a vulnerability scoring system designed to provide an open and standardized method for rating Information Technology vulnerabilities framework for communicating the characteristics and impacts of IT vulnerabilities. SAINT provides support for CVSS through scanning, analysis and reporting capabilities. SAINT provides the users with the capability to create custom scanning policies that include specified CVSS ranges, when defining scan levels and setting up custom scans.
SAINTwriter provides the capability to show the CVSS base score and CVSS base vector, for each vulnerability detected, as an optional column when creating custom reports. Custom reporting features within SAINTwriter enables users to select all vulnerabilities in a given severity level, as well as define report parameters and options related to specific vulnerability categories and services, such as CVSS base scores and CVSS base vectors to display the CPE entries corresponding to displayed vulnerability, if any. SAINTwriter then enables users to select their output format from a number of available formats, such as HTML, XML and CSV.
Additionally, SAINT provides support for CVSS as part of Payment Card Industry (PCI) Compliance. CVSS base scores are shown in SAINT as part of PCI compliance reports. CVSS base scores are used as the primary factor in determining whether a given device is compliant during a PCI compliance assessment.
Statement of XCCDF Implementation:
XCCDF (Extensible Common Configuration Data Format) is a specification language for writing security checklists, benchmarks, and related types of documents, defined by NIST. SAINT provides the capability to import, validate, view, execute policy scans, and report on benchmarks in XCCDF format. SAINT provides two methods of collection: 1) Select a supported policy to automatically download, validate and import a check. 2) Use SAINT¡¯s ¡°SCAP Content Importer¡± tool to manually import definitions for validation and execution by SAINT¡¯s scanning engine. This capability includes support for XCCDF but also extends to support a number of file formats, to include: SCAP Expressed Data-Stream (.zip, .tar, .tar.gz, .tgz); OVAL Definitions files and XCCDF Benchmarks (.xml); and OVAL External Variable files (.xml, .var).
SAINT also provides a Policy Editor for those users that wish to use an existing XCCDF-based policy as a template to edit and save a custom policy to support local requirements. This editor allows users to view such information as the detailed descriptions of each group and rule contained in a policy, to enabling and disabling checks (rules), and modifying values associated with certain rules.
XCCDF-based scan results can be viewed or downloaded in a number of compliance formats: XCCDF Results document; XCCDF Human readable results document; OVAL system characteristics for each target; or OVAL Results documents that resulted from the XCCDF scan.
Statement of OVAL Implementation:
Open Vulnerability and Assessment Language (OVAL) is an international information security standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. The SAINT product consumes and executes OVAL vulnerability, compliance, inventory, and patch definition(s) to determine and report issues found on remote systems. SAINT supports OVAL definitions of the patch, vulnerability, compliance, and inventory class for Microsoft Windows and AIX only (other platforms to be supported in the future) and adheres to the latest OVAL 5.9 schema with exception to those tests and features noted in the SAINT OVAL documentation.
SAINT supports OVAL compliance checking by allowing users to import OVAL checks (standalone and/or SCAP-expressed data streams) from the OVAL repository, as well as importing user-developed XML files containing OVAL checks. An SCAP-expressed data stream is defined as ¡°a collection of four or more related XML files containing SCAP data using the SCAP components that provide the data necessary to evaluate systems for compliance with a configuration-based security policy¡±.
SAINT also provides viewing and downloading OVAL result files via the GUI, as well as viewing human readable (non XML) results.