Learning about SCAP

Information Security Automation Program (ISAP)

The Information Security Automation Program (ISAP) automates and standardizes technical security operations. Primarily focused on government, ISAP offers security checking, remediation, and automation of technical compliance activities to such regulations as FISMA and the FDCC.

ISAP objectives include enabling standards-based communication of vulnerability data, customizing and managing configuration baselines for various IT products, assessing information systems and reporting compliance status, using standard metrics to weight and aggregate potential vulnerability impact, and remediating identified vulnerabilities.

SCAP standards

Common Vulnerabilities and Exposures (CVE)

The SCAP CVE standard is a dictionary of publicly known information security vulnerabilities that enable data exchanges between security products and provide a baseline index point for evaluating coverage of tools and services.

HCL BigFix has actively supported CVE for several versions of the product and maintains a mature product integration with CVE content. Any security patch or vulnerability that has an associated CVE ID and is available as either a SCAP data stream or available through other HCL BigFix developed processes will display the relevant CVE ID within the HCL BigFix console.

You can find this ID associated with a given security patch or vulnerability by opening the HCL BigFix console and navigating to a patch or vulnerability Fixlet site, double-clicking a relevant Fixlet, selecting the Details tab and viewing the CVE ID. The CVE ID is also accessible from other views and can be used as part of the reporting criteria for detailed and summary reports on individual end-point systems or for a large group of systems reported on in the aggregate.

Common Configuration Enumeration (CCE)

The SCAP CCE standard provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. For example, CCE Identifiers can associate checks in configuration assessment tools with statements in configuration best practice documents. The HCL BigFix platform includes the ability to assess workstations, laptops, servers, and mobile computing devices against common configuration settings to identify misconfiguration states in a diverse computing environment. HCL BigFix fully supports CCE and displays the CCE ID for each misconfiguration for which there is a CCE ID within the HCL BigFix console. In the case where a misconfiguration is associated with multiple CCE IDs, all IDs are cross-referenced and displayed.

To find the CCE ID associated with a configuration setting, open the HCL BigFix console and navigate to a configuration setting used by a SCAP data stream. Click on a Fixlet that represents a configuration setting and view the Source ID column. The Source ID displays the CCE ID. The CCE ID is also accessible from other views and can be used as part of the reporting criteria for detailed reports and summary reports on individual end-point systems or for a large group of systems reported on in the aggregate.

Common Platform Enumeration (CPE)

The SCAP CPE standard is a structured naming scheme for information technology systems, platforms, and packages. Based on the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name. HCL BigFix uses CPE to ensure that configuration settings are assessed on the correct system. Regardless of the operating system, the CPE ID can identify a platform and ensure that an assessment is performed.

You can assess and remediate system configurations by targeting systems by platform in addition to other targeting mechanisms. By targeting a particular platform, you can ensure that system scans are done properly and are weighed against applicable configuration checks. Checks are assessed in real-time based on the platform and policies can be enforced, giving administrators current visibility and control over platforms in a distributed or non-distributed computing environment.

Common Vulnerability Scoring System (CVSS)

The SCAP CVSS standard provides an open framework for communicating the characteristics of IT vulnerabilities. Its quantitative model ensures repeatable, accurate measurement while displaying vulnerability characteristics used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and agencies that need accurate and consistent vulnerability impact scores.

HCL BigFix assesses and reports on vulnerabilities and quantifies the impact for multiple computing platforms. HCL BigFix fully supports the CVSS standard and displays both the CVSS base score for each applicable vulnerability and the CVSS Base Score Vector used to produce the score.

HCL BigFix administrators can access the CVSS score and the associated vector string from within the HCL BigFix console. For additional details, administrators can navigate to the a vulnerability definition from within the Fixlets. HCL BigFix provides a link for administrators to connect to the CVSS definition located on the NVD website. HCL BigFix enhances the value of CVSS by displaying this common metric for detailed reports on individual end-point systems and for large groups of systems reported on in the aggregate.

Extensible Configuration Checklist Description Format (XCCDF)

The SCAP XCCDF standard is a specification language for writing security checklists, benchmarks, and related documents. An XCCDF document represents a structured collection of security configuration rules for some sets of target systems and is the core element of the SCAP data stream. The specification also defines a data model and format for storing results of checklist compliance testing.

SCAP data streams use the XCCDF format to translate underlying configuration checks that are defined in HCL BigFix Fixlets. When created, these SCAP-based configuration Fixlets allow administrators to assess their computing assets against the SCAP-defined configuration rules in real-time and on a global scale.

When the SCAP configuration rules are imported into HCL BigFix, any system can immediately assess against the defined configuration rules. The results of those configuration checks are relayed to the HCL BigFix console, where administrators can view results and generate detailed reports on an individual system or on large groups of systems.

HCL BigFix also exports the results of the configuration checks into the defined XCCDF report format so that the organization can store, send, or import those reports into another tool.

Open Vulnerability and Assessment Language (OVAL)

The SCAP OVAL standard is an international, information security community standard that promotes security content and standardizes the transfer of this information across an entire spectrum of security tools and services. The OVAL language is a collection of XML schema for representing system information, expressing specific machine states, and reporting the results of an assessment.

Through a repository of vulnerability assessment policies, HCL BigFix assesses managed computers against OVAL vulnerability definitions using real-time data tracking based on the data elements of each definition. These policies are automatically retrieved by the HCL BigFix product within an organization's network. When validated for authenticity, the policies are made available to the HCL BigFix client installed on each managed computer and added to their local library of configuration policies. The agent continuously evaluates the state of the machine against each policy so that any instance of non-compliance can be reported to the HCL BigFix Server for administrator review. If pre-authorized by an administrator, the appropriate corrective action is applied to the computer immediately upon misconfiguration detection, even to remote or mobile users not connected to the organization's network.

Asset Reporting Format (ARF)

The Asset Reporting Format (ARF) is a standardized data model that is able to capture report requests, reports, assets and their relationships. HCL BigFix can generate standard ARF reports which can be used to further analyze or import into other third party applications.