SCAP Security Content Automation Protocol 1.1/1.

Introduction
The Security Content Automation Protocol (SCAP) is a suite of specifications that aims at format & nomenclature standardization. (by NIST under FISMA 2002)

SCAP consists of languages (format desc using XCCDF,OVAL,OCIL), naming convention (enumerations,CPE,CVE,CCE) for publicly know vulnerabilities and a scoring system(CVSS) to weight those vulnerabilities.(also a reporting format from 1.2 asset reporting format arf)
In a nutshell, SCAP-expressed checklists use a standardized language (XCCDF) to express what checks should be performed (OVAL, OCIL), which platforms are being discussed (CPE), and which security settings (CCE) and software flaw vulnerabilities (CVE) should be addressed.

Motivation
Automation Standardization Customization

Why Automate? Why Standerdize? Why Customize? Why are/were they tedious without SCAP? The number and variety of systems to secure. The need to respond quickly to new threats. The lack of interoperability.

Uses
Security Checklist Verification Artifact Identification Requirements Evidence Standardized Enumerations Single Central Report from various benchnmarks Continuous Monitoring Remediation (No directly supported) Security Measurement (Scoring,prioritizing)

What does it offer

To Security Content developers: To Sys Admins: To Compliance tool Developers

 Attempts have been made for standardization at various levels but never at a whole.

Why previous attempts are not apt

 1.

2.

11 components,5 categories SCAP Protocol is an additional higher-level specification that defines how the component specifications are to be used together in support of SCAP. Languages Extensible Configuration Checklist Description Format (XCCDF) 1.2 A language for authoring security checklists/benchmarks and for reporting results of evaluating them Open Vulnerability and Assessment Language (OVAL) 5.10 A language for representing system configuration information, assessing machine state, and reporting assessment results Open Checklist Interactive Language (OCIL) 2.0 A language for representing assessment content that collects information from people or from existing data stores made by other data collection efforts Reporting Formats Asset Reporting Format (ARF) 1.1 A format for expressing the exchange of information about assets and the relationships between assets and reports Asset Identification 1.1 A format for uniquely identifying assets based on known identifiers and/or known information about the assets

Overview of SCAP (1.2)

3. Enumerations Common Platform Enumeration (CPE) 2.3 A nomenclature and dictionary of hardware, operating systems, and applications, plus an applicability language for constructing complex logical groupings of CPE names Common Configuration Enumeration (CCE) 5 A nomenclature and dictionary of software security configurations Common Vulnerabilities and Exposures (CVE) A nomenclature and dictionary of security-related software flaws 4. Measurement and Scoring Systems Common Vulnerability Scoring System (CVSS) 2.0 A system for measuring the relative severity of software flaw vulnerabilities Common Configuration Scoring System (CCSS) 1.0 A system for measuring the relative severity of system security configuration issues 5. Integrity Protection Trust Model for Security Automation Data(TMSAD) 1.0. A specification for using digital signatures in a common trust model applied to other security automation specifications

XCCDF
Every system administrator has local policies and standards that their systems are supposed to comply with, and there are many security-audit tools to check compliance. However, many of these tools dont allow easy customization to local policy, or to drop in new third-party policy definitions. XCCDF is an XML-based format that addresses these problems by providing a unified way to describe: - System configuration policies/benchmarks/standards such those from the CIS,STIG etc - How software can evaluate systems for policy compliance using Mitre's Open Vulnerability Assessment Language or similar schemes. - How people and/or software can fix systems that don't comply. - How well a particular system conforms to a policy for reporting purposes.

To further clarify, XCCDF defines a high-level security benchmark that is designed to interface with lower level rule checks (OVAL) that in turn can be used by a security tool to perform a configuration check or other functions. For example, the XCCDF document for a Windows best practice configuration might define that the minimum password length should be eight characters. This check would get passed to the OVAL document that actually defines the registry value to validate that the setting on a target machine matches the XCCDF specification.

Benifits: Extending (Ensuring Selectivity, finding incompatible/unwanted rules) Tailoring Combining Checklists from Various sources Automation Changing Value/Property/Priority/Severity Standardizing Input and output results Inclusion of content that does not contribute directly to the technical content, such as an introduction, a rationale, warnings, and external references.XCCDF also provides mechanisms to document authors for formatting text, including images, and referencing other information resources (e.g., prose publications), but these mechanisms are separable from the text itself so they can be filtered out by applications that do not support or require them.

XCCDF Language Elements Benchmark Profile Items (Group,Rule,Value) Tailoring (of a benchmark using a profile) Metadata(dublin core, applicable to all) Status(to all levels) (incomplete,draft(released in draft state),interim (revised and in the process of being finalized),accepted, deprecated) Signature,plain-text(reuse),reference,platform <fixtext>,<fix>,<check>,<complex-check>,<ident>,impactmetric(CVSS,dontuse),seveirity, cluster-id <fix> @system property can be used execute..system commands,all kinds of sh,and even pathch chechs provided by vendors. ******selectors,cluster-id(can be used for parallization if provided) TestResult: (may be a child of benchmark or can refer to it)..(in diff file for SCAP?...maps to a single benchmark) Rule-result,<result>"pass, fail ,unknown, NA ,error, fixed ,not-checked etc"..they can also be mapped from OVAL/OCIL results as per SCAP rules. override<inaccurate results>,fact(record facts about the IT asset to which an <xccdf:TestResult> applies.) and lot more

OCIL (Open Checklist Interactive Language)

The Open Checklist Interactive Language (OCIL) defines a framework for expressing a set of questions to be presented to a user and corresponding procedures to interpret responses to these questions. Called from check element of xccfd only when we cant handle it using oval OCIL provides the conceptual framework for representing non-automatable questions. The following list defines the features supported by OCIL: Ability to define questions (of type Boolean, Choice, Numeric, or String) Ability to define possible answers to a question from which the user can choose Ability to define actions to be taken resulting from a user's answer Ability to enumerate the result set Records user responses as direct results Major Elements:- Generator,questionnaire,question(question_text,),testaction etc...

CPE
Common Platform Enumeration, Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets. CPE does not identify unique instantiations of products on systems.CPE identifies abstract classes of product.. (Applicability,Verification)

Naming The Naming specification defines the logical structure of Well-formed Names (WFNs), URI bindings, and formatted string bindings, and the procedures for converting WFNs to and from the bindings. Name Matching The Name Matching specification defines the procedures for comparing WFNs to each other so as to determine whether they refer to some or all of the same products. Dictionary The Dictionary specification defines the concept of a CPE dictionary, which is a repository of CPE names and metadata, with each name identifying a single class of IT product. The Dictionary specification defines processes for using the dictionary, such as how to search for a particular CPE name or look for dictionary entries that belong to a broader product class. Also, the Dictionary specification outlines all the rules that dictionary maintainers must follow when creating new dictionary entries and updating existing entries. Applicability Language The Applicability Language specification defines a standardized structure for forming complex logical expressions out of WFNs. These expressions, also known as applicability statements, are used to tag checklists, policies, guidance, and other documents with information about the product(s) to which the documents apply. For example, a security checklist for Mozilla Firefox 3.6 running on Microsoft Windows Vista could be tagged with a single applicability statement that ensures only systems with both Mozilla Firefox 3.6 and Microsoft Windows Vista will have the security checklist applied.

CCE & CVE

CVE Identifier number (e.g., "CVE-1999-0067", "CVE-201412345", "CVE-2014-7654321"). Used for quick reference, remove redundant checks from different benchmarks Same applies to CCE Reffered by ident element in xccdf

CVSS
CVSS is composed of three metric groups: Base, Temporal, and Environmental Called from check element of xccfd only when we cant handle it using oval Base: represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments Temporal: represents the characteristics of a vulnerability that change over time but not among user environments Environmental: represents the characteristics of a vulnerability that are relevant and unique to a particular users environment.

OVAL (Open Vulnerability and Assessment Language)

Standardizes the three main steps of the assessment process Representing configuration information of systems for testing Characteristics of the system (OVAL System Characteristics) Analyzing the system for the presence of a specified machine state Defining how to check for a state (OVAL Definitions) Reporting the results of the assessment Results (OVAL Results) Uses Security advisory distribution Vulnerability assessment Malware and threat indicator sharing Configuration management Audit and centralized audit validation Security Information Management Systems (SIMS) System inventory Patch management

Number of Definition Component Schemas Types of Schemas Linux Unix Apple MacOS Microsoft Windows Sun Solaris

Conceptual Breakdown of the OVAL Language ----------------------------------------OVAL Definition Schema | |--> Core Schema | |--> Independent Schema (family_test, variable_test, xmlfilecontent_test, etc.) | |--> UNIX Schema (file_test, process_test, uname_test, etc.) | | | |--> Solaris Schema | |--> HP-UX Schema | |--> MacOS Schema | |--> Linux Schema (dpkg_test, rpminfo_test, etc.) | |--> Windows Schema (file_test, wmi_test, etc.) | |--> Apache Schema

oval_definitions ...> <generator>...</generator> <definitions> <definition id="oval:org.mitre.oval.tutorial:def:1" version="1" class="miscellaneous"> <metadata> <title>CTRL+ALT+DEL Required for Logon</title> <affected family="windows"/> <description>This definition is used to introduce the OVAL Language.</description> </metadata> <criteria> <criterion test_ref="oval:org.mitre.oval.tutorial:tst:1" comment="The registry key is set to require CTRL+ALT+DEL for Logon"/> </criteria> </definition> </definitions> <tests> <registry_test id="oval:org.mitre.oval.tutorial:tst:1" version="1" check= "all" comment="The registry key is set to require CTRL+ALT+DEL for Logon" xmlns=" http://oval.mitre.org/XMLSchema/oval-definitions-5#windows "> <object object_ref="oval:org.mitre.oval.tutorial:obj:1"/> <state state_ref="oval:org.mitre.oval.tutorial:ste:1"/> </registry_test> </tests> <objects> <registry_object id="oval:org.mitre.oval.tutorial:obj:1" version="1" xmlns=" http://oval.mitre.org/XMLSchema/oval-definitions-5#windows "> <hive>HKEY_LOCAL_MACHINE</hive> <key>Software\Microsoft\Windows\CurrentVersion\Policies\System</key> <name>disablecad </name> </registry_object> </objects> <states> <registry_state id="oval:org.mitre.oval.tutorial:ste:1" version="1" xmlns=" http://oval.mitre.org/XMLSchema/oval-definitions-5#windows "> <value datatype="int" operation="equals">0</value> </registry_state> </states> </oval_definitions>

SCAP Data Stream

Ordering, Data Stream Collection, ds, component,checklist,check,dictionaries ,

Open SCAP /Results /Etc