Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

General SCAP Requirements:

  • SCAP.V.1: The vendor shall indicate where in the product documentation information regarding the use of SCAP can be found.

    See Standards.
  • SCAP.V.3.1: The vendor shall indicate which one or more of the defined SCAP capabilities their product is being tested for.

    See Standards.
  • SCAP.V.3.2: The vendor shall provide product documentation that enumerates the general product capabilities for the target platform (e.g., antivirus, intrusion detection, firewall) that relate to the asserted SCAP capabilities.

    See Overview.
  • SCAP.V.4: The vendor shall provide instructions on where the dates for all offline SCAP data can be inspected in the product output.

    See Viewing Results in Other Formats.

...

XCCDF + OVAL Requirements
  • SCAP.V.5: The vendor shall provide documentation explaining and instruction on how to import an SCAP-expressed data stream can be imported for the target platform, including XCCDF and OVAL content, into the product and subsequently executed.

    See Importing Profiles.

...

  • SCAP.V.6: The vendor shall provide instruction on where the corresponding XCCDF and OVAL result results files can be located for inspection.

    Right-click on the computer in the view at the bottom of the policy that has completed an assessment, then click Resource Manager. Under the Data tab, navigate to the Event Classes accordion item, then to Data Classes > Arellia > Security Analysis > OVAL Analysis. Select the assessment in the list, then right-click and click View Raw Oval Results Document or View Raw XCCDF Results.
XCCDF + CCE Requirements
  • SCAP.V.7: The vendor shall provide instructions on where the XCCDF Rules and their associated CCE IDs can be visually inspected within the product output.

    See Viewing Analysis Results in Other Formats. CCE IDs are listed in the rule configuration when double-clicked in the Compliance Viewer.
XCCDF + OVAL + CPE Requirements
  • SCAP.V.8: The vendor shall provide instructions on how the product indicates the validity of the imported SCAP-expressed data stream to a target platform. Instructions should also describe how the imported data stream is indicated to not be valid for a target platform. This requirement is testing the use of the OVAL check associated with a CPE name via the CPE dictionary to determine applicability of the data stream.

    See Creating a Policy. Selecting the profile will choose the associated target computers (if any exist).
CVSS + CCE

See CVSS Requirements for the SCAP.V.9 requirement.

Misconfiguration Remediation