...
The specifications that comprise SCAP are as follows:
- Extensible Configuration Checklist Description Format (XCCDF)
- Open Vulnerability and Assessment Language (OVAL)
- Common Configuration Enumeration (CCE)
- Common Platform Enumeration (CPE)
- Common Vulnerabilities and Exposures (CVE)
- Common Vulnerability Scoring System (CVSS)
General SCAP Requirements:
- SCAP.V.1.2: The vendor SHALL supply documentation on how to import an SCAP data stream, apply it against a target, and produce an SCAP result data stream conforming to the ARF specification.
See Generate Cyberscope Report .
- SCAP.V.1 : The vendor shall indicate where in the product documentation information regarding the use of SCAP can be found.
See [REVIEW] Standards .
- SCAP.V.3.1 : The vendor shall indicate which one or more of the defined SCAP capabilities their product is being tested for.
See [REVIEW] Standards .
- SCAP.V.3.2 : The vendor shall provide product documentation that enumerates the general product capabilities for the target platform (e.g., antivirus, intrusion detection, firewall) that relate to the asserted SCAP capabilities.
See [REVIEW] SAS 8.x 1 Overview .
- SCAP.V.4 : The vendor shall provide instructions on where the dates for all offline SCAP data can be inspected in the product output.
See Viewing Results in Other Formats .
XCCDF + OVAL Requirements
- SCAP.V.5 : The vendor shall provide documentation and instruction on how to import an SCAP-expressed data stream for the target platform, including XCCDF and OVAL content, into the product.
See [READY] Importing Profiles Import profiles.
- SCAP.V.6 : The vendor shall provide instruction on where the corresponding XCCDF and OVAL results files can be located for inspection.
Right-click on the computer in the view at the bottom of the policy that has completed an assessment, then click Resource Manager . Under the Data tab, navigate to the Event Classes accordion item, then to Data Classes > Arellia > Security Analysis > OVAL Analysis . Select the assessment in the list, then right-click and click View Raw Oval Results Document or View Raw XCCDF Results .
...
- SCAP.V.7 : The vendor shall provide instructions on where the XCCDF Rules and their associated CCE IDs can be visually inspected within the product output.
See[EDITING] Viewing Analysis Results . CCE IDs are listed in the rule configuration when double-clicked in the Compliance Viewer.
...
- SCAP.V.8 : The vendor shall provide instructions on how the product indicates the validity of the imported SCAP-expressed data stream to a target platform. Instructions should also describe how the imported data stream is indicated to not be valid for a target platform. This requirement is testing the use of the OVAL check associated with a CPE name via the CPE dictionary to determine applicability of the data stream.
See[EDITING] Create a Security Analysis Policy . Selecting the profile will choose the associated target computers (if any exist).
...
- SCAP.V.10 : The vendor shall provide documentation explaining how an SCAP-expressed data stream can be imported into the product and subsequently executed.
See [READY] Importing Profiles Import profiles .
Misconfiguration Remediation
- SCAP.V.12 : The vendor shall provide instructions on how an SCAP-expressed data stream can be imported and executed on the target system to remediate non-compliant settings. The vendor shall also provide instructions on where the results of the remediation action can be viewed within the product output.
See: