BMC Client Management - SCAP Implementation Statement. Version 12.0



Similar documents
How To Use A Policy Auditor (Macafee) To Check For Security Issues

Federal Desktop Core Configuration (FDCC)

Qualys PC/SCAP Auditor

FDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Security compliance automation with Red Hat Satellite

SCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference

An Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance

Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT)

Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP

How To Monitor Your Entire It Environment

Automating Compliance with Security Content Automation Protocol

Towards security management in the cloud utilizing SECaaS

Massively Scaled Security Solutions for Massively Scaled IT

STIGs,, SCAP and Data Metrics

DoD Secure Configuration Management (SCM) Operational Use Cases

Chung-Huang Yang Kaohsiung Normal University, Taiwan November 24th, Central South University

Guide to Enterprise Patch Management Technologies

CDM Vulnerability Management (VUL) Capability

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

An Enterprise Continuous Monitoring Technical Reference Architecture

Realizing Trusted Clouds

Security Information and Event Management

Manage Vulnerabilities (VULN) Capability Data Sheet

Secstate: Flexible Lockdown, Auditing, and Remediation

McAfee Policy Auditor software

Continuous Monitoring

McAfee Policy Auditor 6.0 software Product Guide for epolicy Orchestrator 4.6

Symantec Control Compliance Suite Standards Manager

Open Vulnerability and Assessment Language (OVAL ) Validation Program Test Requirements (DRAFT)

D. Best Practices D.2. Administration The 6 th A

Secunia Vulnerability Intelligence Manager (VIM) 4.0

Total Protection for Compliance: Unified IT Policy Auditing

CA IT Client Manager. Release Notes and Known Issues. r12 SP1

Towards Unifying Vulnerability Information for Attack Graph Construction

EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA

Certification Report

Enhancing Security for Next Generation Networks and Cloud Computing

Automated Patching. Paul Asadoorian IT Security Specialist Brown University

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Symantec Client Management Suite 7.6 powered by Altiris technology

EAC Decision on Request for Interpretation (Operating System Configuration)

VRDA Vulnerability Response Decision Assistance

SNOW LICENSE MANAGER (7.X)... 3

Software Vulnerability Assessment

AppSentry Application and Database Security Auditing

Navigate Your Way to NERC Compliance

Security Control Standard

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

Report: Symantec Solutions for Federal Government: CyberScope

Secunia Vulnerability Intelligence Manager

Nipper Studio Beginner s Guide

CONTINUOUS MONITORING

IBM Tivoli Endpoint Manager for Security and Compliance

AHS Flaw Remediation Standard

Measurably reducing risk through collaboration, consensus & practical security management CIS Security Benchmarks 1

Analytics and Continuous monitoring Engine (ACE) for Enterprise Risk and Compliance Management

Compliance series Guide to meeting requirements of USGCB

NCIRC Security Tools NIAPC Submission Summary Harris STAT Scanner

A Tool for Automatic Enterprise Architecture Modeling

Measurably reducing risk through collaboration, consensus & practical security management CIS Security Benchmarks 1

SCAP Compliance Checker Version 3.1 for Windows February 12, 2012

ICT Security Cybersecurity CYBEX Overview of activities in ITU-T with focus on Study Group 17

NETWRIX IDENTITY MANAGEMENT SUITE

Certification Report

ivos Technical Requirements V For Current Clients as of June 2014

Vulnerability Scanning Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

IBM InfoSphere Guardium

FY15 Quarter 1 Chief Information Officer Federal Information Security Management Act Reporting Metrics V1.0

An Introduction to the Common Configuration Enumeration

60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

2011 Cloud Security Alliance, Inc. All rights reserved.

Healthcare Information Security Governance and Public Safety II

Seven Simple Steps that Slash the IT Audit Burden

The operating system requirements listed in this document include the most current patches and service packs.

The Center for Internet Security. CIS Configuration Assessment Tool CIS-CAT

Certification Report

SNOW LICENSE MANAGER (7.X)... 3

Security Orchestration with IF-MAP

Complete Patch Management

FileMaker Pro 11. Running FileMaker Pro 11 on Terminal Services

ARF, ARCAT, and Summary Results. Lt Col Joseph L. Wolfkiel

Symantec Client Management Suite 8.0

eeye Digital Security Product Training

White Paper. Understanding NIST FISMA Requirements

STAT Scanner Product Guide

Certification Report

SESSION 706 Wednesday, November 4, 9:00am - 10:00am Track: Framework Fusion

Dell KACE K1000 System Management Appliance Version 5.4. Patching and Security Guide

The Emergence of Security Business Intelligence: Risk

Global Knowledge MEA Remote Labs. Remote Lab Access Procedure

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

Information Security Recommendation Report

Report Book: Retina Network Security Scanner Unlimited

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Questions and Answers

Microsoft Windows Apple Mac OS X

Transcription:

BMC Client Management - SCAP Implementation Statement Version 12.0

BMC Client Management - SCAP Implementation Statement TOC 3 Contents SCAP Implementation Statement... 4

4 BMC Client Management - SCAP Implementation Statement SCAP Implementation Statement SCAP Implementation Statement The SCAP features in BMC Client Management comply with the Technical Specification for the Security Content Automation Protocol (SCAP): Version 1.2. Using features in the BMC Client Management Console, you import SCAP content from third-party sources, such as the NIST NVD National Checklist Program repository. Results are generated as XML files compliant with both the SCAP (for ARF) and XCCDF specifications. BMC Software, Inc. asserts that BMC Client Management (BCM) version 12.00.00 meets or exceeds the Derived Test Requirements (DTR) for SCAP 1.0, 1.1 and 1.2 as described in NIST IR 7511 Revision 3 for the following SCAP capabilities and supported platform family: Capabilities Authenticated Configuration Scanner Common Vulnerabilities and Exposures (CVE) Option Platform Families Microsoft Windows 7, 64 bit Microsoft Windows 7, 32 bit Microsoft Windows Vista, SP2 Microsoft Windows XP Pro, SP3 Red Hat Enterprise Linux 5 Desktop, 64 bit Red Hat Enterprise Linux 5 Desktop, 32 bit BMC Client Management additionally provides SCAP capabilities for systems such as MAC OS X and other Windows/Linux flavors, but these are not certified. SCAP 1.2 Conformance BMC Client Management conforms to the specifications of the Security Content Automation Protocol, version 1.2 (SCAP 1.2), as outlined in NIST Special Publication (SP) 800-126 rev 2. As part of the SCAP 1.2 protocol, BMC Client Management assessment capabilities have been expanded to include the consumption of source data stream collection XML files and the generation of well-formed SCAP result data streams. To exercise this capability, users may download the SCAP 1.2 content from the NIST NVD National Checklist Program repository, or any other source of SCAP 1.2 compliant content, and perform assessments in a similar manner as with BMC Client Management custom compliance. The BMC Client Management implementation includes the following components: Extensible Configuration Checklist Description Format (XCCDF) 1.2, a language for authoring security checklists/ benchmarks and for reporting results of evaluating them. Open Vulnerability and Assessment Language (OVAL) 5.10.1, a language for representing system configuration information, assessing machine state, and reporting assessment results. Asset Reporting Format (ARF) 1.1, a format for expressing the transport format of information about assets and the relationships between assets and reports. Asset Identification 1.1, a format for uniquely identifying assets based on known identifiers and/or known information about the assets. Common Platform Enumeration (CPE) 2.3, a nomenclature and dictionary of hardware, operating systems, and applications. Common Configuration Enumeration (CCE) 5, a nomenclature and dictionary of software security configurations. Common Vulnerabilities and Exposures (CVE), a nomenclature and dictionary of security-related software flaws. Common Vulnerability Scoring System (CVSS) 2.0, a system for measuring the relative severity of software flaw vulnerabilities. Numara Software, Inc. and BMC Software, Inc. Confidential.

BMC Client Management - SCAP Implementation Statement SCAP Implementation Statement 5 Common Configuration Scoring System (CCSS) 1.0, a system for measuring the relative severity of system security configuration issues. BMC Client Management supports CCSS scores when that score is used in the @weight attribute within XCCDF rules. Trust Model for Security Automation Data (TMSAD) 1.0, a specification for using digital signatures in a common trust model applied to other security automation specifications. BMC Client Management can import SCAP content with Trust Model for Security Automation Data (TMSAD) signatures but will not verify them. The generated XML report will not include TMSAD signatures. SCAP 1.0 Compatibility BMC Client Management natively supports the older SCAP 1.0 specification, including: Extensible Configuration Checklist Description Format (XCCDF) version 1.1.4 Open Vulnerability and Assessment Language (OVAL), version 5.3 and 5.4 Common Configuration Enumeration (CCE) version 5 Common Platform Enumeration (CPE) version 2.2 The Common Vulnerabilities and Exposures (CVE) Common Vulnerability Scoring System (CVSS) version 2.0 SCAP 1.1 Compatibility BMC Client Management natively supports the older SCAP 1.1 specification, including: Extensible Configuration Checklist Description Format (XCCDF) version 1.1.4 Open Vulnerability and Assessment Language (OVAL) version 5.8 Common Configuration Enumeration (CCE) version 5 Common Platform Enumeration (CPE) version 2.2 Common Vulnerabilities and Exposures (CVE) Common Vulnerability Scoring System (CVSS) version 2.0 CVE and CCE lists BMC Client Management allows to import CVE and CCE lists. Both of these lists are part of the six existing open standards used by NIST in its Security Content Automation Protocol (SCAP) program. They help, through the use of consistent identifiers, to improve data correlation; enable interoperability; foster automation; and ease the gathering of metrics for use in situation awareness, IT security audits, and regulatory compliance. CVE provides this capability for information security vulnerabilities, CCE assigns a unique, common identifier to a particular security-related configuration issue: CVE (Common Vulnerabilities and Exposures) is a dictionary of common names (that is, CVE Identifiers) for publicly known information security vulnerabilities. CVE is now the industry standard for vulnerability and exposure names. CVE Identifiers provide reference points for data exchange so that information security products and services can speak with each other. CCE (Common configuration Enumeration) lists provide unique identifiers to security-related system configuration issues in order to improve workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and tools. Numara Software, Inc. and BMC Software, Inc. Confidential.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information