Which organization manages the database that contains security checklist references security related software flaws Misconfigurations product names and impact metrics?

How the appliance conducts SCAP scans

About SCAP

SCAP (Secure Content Automation Protocol), is a set of open standards that enumerate software flaws, monitor security-related configurations and product names, and examine systems to determine the presence of vulnerabilities and rank (score) the impact of the discovered security issues on Windows devices.

Nội dung chính Show

What is the name of the database that contains security checklist references security related software flaws Misconfigurations product names and impact Metrices?
What is the NIST National Vulnerability Database?
What is name of database which is used in vulnerabilities?
What does CVE stand for?

SCAP is maintained by the National Institute of Standards and Technology (NIST), and its use is mandated by government agencies such as the US OMB (United States Office of Management and Budget).

SCAP uses the US government’s National Vulnerability Database (NVD), which is a standards-based vulnerability management data repository. NVD includes databases of security checklists, security-related software flaws, misconfigurations, product names, and impact metrics. For more information on SCAP and NVD, go to the NIST websites at http://scap.nist.gov/index.html and http://nvd.nist.gov/.

SCAP supported versions and platforms

The appliance supports SCAP 1.0, 1.1, and 1.2, and SCAP is certified to run on Windows 7 and higher platforms (32-bit and 64-bit systems).

The appliance conducts SCAP scans using the KACE Agent software that is installed on managed devices. SCAP is not available for devices that do not have the KACE Agent software installed, such as Agentless devices.

How the appliance conducts SCAP scans

The appliance conducts SCAP scans by running scripts on selected Agent-managed devices using security configuration checklists from the National Checklist Repository.

For SCAP versions 1.0 and 1.1, the script checks the SCAP data stream written in XML formats using the following SCAP standards: CCE, CPE, CVE, CVSS, OVAL, and XCCDF. See Definitions of SCAP standards.

SCAP 1.2 adds the concept of the "Data Stream," where all of the individual results files are combined into a single XML file. In addition, SCAP 1.2 adds a new output format called ARF (Asset Report Format 1.1). For more information, go to http://scap.nist.gov/specifications/arf/.

The appliance uses the Agent software to perform SCAP scan compliance checks. The results files are uploaded to the appliance or organization database and collated into a single file for reporting to a government agency (if required). Results are also displayed for each device on the appliance’s SCAP Scan Results page.

If the Organization component is enabled on your appliance, you view SCAP scan results for each organization separately.

SCAP uses the OVAL Interpreter version 5.10.1 and provides:

These features improve software security, threat assessment, and vulnerability correction.

Definitions of SCAP standards

SCAP scans monitor device security using specified protocols and standards.

Standard	Definition
CCE	Common Configuration Enumeration provides unique identifiers to system configuration issues for facilitating fast and accurate correlation of configuration data across multiple information sources and tools. The compliance checking results produced by the appliance SCAP scan include the relevant CCE ID references for XCCDF and OVAL definitions for every rule checked as designated by the checklist definition. CCE information is available both in the XCCDF result file and the appliance’s SCAP Scan Results page.
CPE	Common Platform Enumeration is a structured naming scheme for information technology systems, platforms, and packages. Based on the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name. In essence, CPE ensures that the security checklist is applied to the correct platform. This information is available both in the XCCDF result file and the appliance’s SCAP Scan Results page.
CVE	Common Vulnerability and Exposures is a list or dictionary that provides standard identifiers (common names) for publicly known security vulnerabilities and software flaws. The compliance checking results produced by the appliance SCAP scan include the relevant CVE ID references and OVAL definition for every rule checked in the checklist definition. For every patch or vulnerability, CVE ID references are provided in the appliance’s SCAP Scan Result page. The CVE information is stored in a patch result XML file generated by the scan. The file is available for inspection and verification in the Agent’s working directory and on the server’s SCAP Scan Results page.
CVSS	Common Vulnerability Scoring System provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model helps ensure repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. CVSS is well suited for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. Among others, CVSS assists prioritizing vulnerability remediation activities and calculating the severity of vulnerabilities. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.
OVAL	Open Vulnerability and Assessment Language is an international, information security, community standard for promoting open and publicly available security content. It standardizes the transfer of this information across the entire spectrum of security tools and services. The results of each OVAL test are written to several files on the target device and then compiled into a single result file on the appliance and displayed on the SCAP Scan Results page.
SCAP	Secure Content Automation Protocol is a set of open standards that enumerate software flaws, monitor security-related configurations and product names, and examine devices to determine the presence of vulnerabilities and rank (score) the impact of the discovered security issues. See About SCAP.
XCCDF	The eXtensible Configuration Checklist Description Format is a specification language for writing security checklists, benchmarks, and related documents. An XCCDF file contains a structured collection of security configuration rules for a set of target devices. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. See How a SCAP scan works.

Definitions of SCAP standards

About SCAP

SCAP is maintained by the National Institute of Standards and Technology (NIST), and its use is mandated by government agencies such as the US OMB (United States Office of Management and Budget).

SCAP supported versions and platforms

The appliance supports SCAP 1.0, 1.1, and 1.2, and SCAP is certified to run on Windows 7 and higher platforms (32-bit and 64-bit systems).

How the appliance conducts SCAP scans

The appliance conducts SCAP scans by running scripts on selected Agent-managed devices using security configuration checklists from the National Checklist Repository.

If the Organization component is enabled on your appliance, you view SCAP scan results for each organization separately.

SCAP uses the OVAL Interpreter version 5.10.1 and provides:

These features improve software security, threat assessment, and vulnerability correction.

Definitions of SCAP standards

SCAP scans monitor device security using specified protocols and standards.

Standard	Definition
CCE	Common Configuration Enumeration provides unique identifiers to system configuration issues for facilitating fast and accurate correlation of configuration data across multiple information sources and tools. The compliance checking results produced by the appliance SCAP scan include the relevant CCE ID references for XCCDF and OVAL definitions for every rule checked as designated by the checklist definition. CCE information is available both in the XCCDF result file and the appliance’s SCAP Scan Results page.
CPE	Common Platform Enumeration is a structured naming scheme for information technology systems, platforms, and packages. Based on the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name. In essence, CPE ensures that the security checklist is applied to the correct platform. This information is available both in the XCCDF result file and the appliance’s SCAP Scan Results page.
CVE	Common Vulnerability and Exposures is a list or dictionary that provides standard identifiers (common names) for publicly known security vulnerabilities and software flaws. The compliance checking results produced by the appliance SCAP scan include the relevant CVE ID references and OVAL definition for every rule checked in the checklist definition. For every patch or vulnerability, CVE ID references are provided in the appliance’s SCAP Scan Result page. The CVE information is stored in a patch result XML file generated by the scan. The file is available for inspection and verification in the Agent’s working directory and on the server’s SCAP Scan Results page.
CVSS	Common Vulnerability Scoring System provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model helps ensure repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. CVSS is well suited for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. Among others, CVSS assists prioritizing vulnerability remediation activities and calculating the severity of vulnerabilities. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.
OVAL	Open Vulnerability and Assessment Language is an international, information security, community standard for promoting open and publicly available security content. It standardizes the transfer of this information across the entire spectrum of security tools and services. The results of each OVAL test are written to several files on the target device and then compiled into a single result file on the appliance and displayed on the SCAP Scan Results page.
SCAP	Secure Content Automation Protocol is a set of open standards that enumerate software flaws, monitor security-related configurations and product names, and examine devices to determine the presence of vulnerabilities and rank (score) the impact of the discovered security issues. See About SCAP.
XCCDF	The eXtensible Configuration Checklist Description Format is a specification language for writing security checklists, benchmarks, and related documents. An XCCDF file contains a structured collection of security configuration rules for a set of target devices. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. See How a SCAP scan works.

About benchmarks

A SCAP benchmark is a security configuration checklist that contains a series of rules for evaluating the vulnerabilities of a device in a particular operational environment.

The NIST (National Institute of Standards and Technology) maintains the National Checklist Repository that contains various security configuration checklists for specific IT products and categories of IT products.

The USGCB (United States Government Configuration Baseline) benchmark standard evolved from the FDCC (Federal Desktop Core Configuration), and currently addresses Windows 7 (along with earlier versions of Windows such as Windows XP or Windows Vista), and Internet Explorer versions 7 and 8.

A checklist consists of a ZIP file that contains several XML files called a SCAP Stream. The primary file in the Stream is the XCCDF file. The XCCDF file is a structured collection of security configuration rules for a set of target devices. Essentially, it is a list of OVAL tests that should be run. The other XML files contain the OVAL tests specified in the XCCDF file. For detailed information on the XCCDF Specification, go to http://scap.nist.gov/specifications/xccdf/.

A benchmark can contain one or more profiles. A profile specifies the rules that run on specific kinds of devices. For example, a benchmark might contain one set of rules for desktops and another set for servers.

How a SCAP scan works

Before SCAP scans are conducted, the appliance imports and verifies a benchmark. After it is imported and verified, the benchmark is loaded into the appliance and the XCCDF file undergoes a process called resolution.

During resolution, the oval-command.zip file is generated. This ZIP file contains the input files necessary to run a particular profile. You can view the files on the Script Detail page. See Configure SCAP schedules.

The SCAP scan is controlled by a KScript. When the scan runs, the following files are downloaded to the target device as script dependencies:

•	benchmark.zip: contains the benchmark files, that is, the SCAP Stream that was uploaded to the appliance. (The XCCDF file is not actually used by the device.)

•	ovalref.zip: contains the OVAL scanning engine (ovaldi.exe).

The KScript initiates the OVAL scans on the target device and generates several results files. The OVAL scanning engine runs two or three times:

Each run generates a results file. These files are named according to the run. For example, the file from the first run is named scap-profile-10-result-1.xml and the second is named scap-profile-10-result-2.xml. These files are located in the following directory: C:\Documents and Settings\All Users\Quest\KACE\kbots_cache\packages\kbots\<working directory>.

To find the KACE Agent’s working directory, go to Inventory > Devices > Device Detail > Logs.

These results files are then uploaded to the appliance and collated into a single results file (xccdf-results.xml). You can use this file for reporting the results to a government agency such as the US OMB (United States Office of Management and Budget). The appliance and managed device retain only the latest results files.

In the final step of a run, a subset of the results files is extracted and stored in the Organization database for reporting and displayed on the SCAP Scan Results page for each device.

The database tables that contain this information are SCAP_RESULT, SCAP_RESULT_RULE, and SCAP_RESULT_SCORE. See View SCAP scan results.

Access SCAP Scan information

You can access SCAP Scan information in the Security section.

a.	Log in to the appliance Administrator Console, https://appliance_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.

▪	Catalog: Shows the status of SCAP benchmarks. Additionally from this page, you can import checklists, delete checklists, and export a checklist to CSV format.

▪	Schedules: Displays the name of the benchmarks and when they are scheduled to run. Additionally from this page, you can add and delete benchmarks, enable or disable benchmarks, and export a benchmark to CSV format.

▪	Reporting: Shows the general results of SCAP scans.

The page also displays a dashboard that shows the results by benchmark. For a device to pass a benchmark, it must score 100%.

View and manage benchmarks

You can view and manage SCAP benchmarks, which include profiles and checklists that have been imported to the appliance.

Additionally, you can import benchmarks, delete benchmarks, and export benchmarks to CSV format by selecting Choose Action on the SCAP Catalog page.

1.	Go to SCAP Catalog list:

a.	Log in to the appliance Administrator Console, https://appliance_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.

c.	On the SCAP Scan panel, click Catalog.

2.	Optional: Specify which benchmarks are displayed using either the View By drop-down list or Search field.

3.	Optional: To sort the benchmarks, click a column heading.

The SCAP Catalog contains general information about the selected benchmark and the time and date that the SCAP data was uploaded to the appliance. See Download benchmarks from the archive.

Import and modify benchmarks

You can import and modify benchmarks from the National Checklist Repository as needed.

1.	Go to SCAP Catalog list:

a.	Log in to the appliance Administrator Console, https://appliance_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.

c.	On the SCAP Scan panel, click Catalog.

2.	Select Choose Action > Import New Checklists.

The SCAP Configuration Scan Settings page appears and displays Step 1 of the import wizard.

3.	Click Browse or Choose File to import a benchmark ZIP file.

7.	Optional: Click Browse or Choose File to find and upload a custom engine and its configuration files.

A dialog box appears indicating that the benchmark file is being loaded, followed by the Script Detail page. See Editing SCAP scan schedules.

Configure SCAP schedules

You can import benchmarks or definitions, and change settings for SCAP scans, by configuring SCAP schedules.

1.	Go to SCAP Scan Schedules list:

a.	Log in to the appliance Administrator Console, https://appliance_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.

c.	On the SCAP Scan panel, click Schedules.

2.	Select Choose Action and select an action to add or delete benchmarks, enable or disable benchmarks, and export a benchmark to CSV format.

The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

What is the NIST National Vulnerability Database?

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance.

What is name of database which is used in vulnerabilities?

A VDB will assign a unique identifier to each vulnerability cataloged such as a number (e.g. 123456) or alphanumeric designation (e.g. VDB-2020-12345). Information in the database can be made available via web pages, exports, or API. A VDB can provide the information for free, for pay, or a combination thereof.

What does CVE stand for?

CVE stands for Common Vulnerabilities and Exposures. CVE is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities.