SCAP - NIST Computer Security Resource Center

The attached DRAFT document (provided here for HISTORICAL purposes) has been superseded by the following publication: Publication Number:

NIST Interagency Report 7511, Revision 3

Title:

Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements

Publication Date:

02/05/2013

• Final Publication: http://dx.doi.org/10.6028/NIST.IR.7511 • Related Information on CSRC: http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7511 • Information on other NIST Computer Security Division publications and programs can be found at: http://csrc.nist.gov/

The following information was posted with the attached DRAFT document: Final Approval of NIST Interagency Report (IR) 7511 Revision 3 is now available February 5, 2013 NIST announces the release of NIST Interagency Report (NISTIR) 7511 Revision 3, Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements. NISTIR 7511 defines the requirements that must be met by products to achieve SCAP 1.2 Validation. Validation is awarded based on a defined set of SCAP capabilities by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. NISTIR 7511 Revision 3 has been written primarily for accredited laboratories and for vendors interested in producing SCAP validated products.

NIST Interagency Report 7511 Revision 3.01.165 (Draft)

Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements (DRAFT) John Banghart Stephen Quinn David Waltermire Andrew Bove

NIST Interagency Report 7511 Revision 3 (Draft)

Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements (DRAFT)

John Banghart Stephen Quinn David Waltermire Andrew Bove

C O M P U T E R

S E C U R I T Y

Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 March 2012

U.S. Department of Commerce

John E. Bryson, Secretary National Institute of Standards and Technology

Dr. Patrick D. Gallagher, Under Secretary for Standards and Technology and Director

SECURITY CONTENT AUTOMATION PROTOCOL (SCAP) VERSION 1.2 VALIDATION PROGRAM TEST REQUIREMENTS (DRAFT)

Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference >

ACS primarily supports use-cases identified by the value CONFIGURATION, and AVPS supports use-cases identified by the value VULNERABILITY. Other use-case values include INVENTORY and OTHER. The following table maps use-cases to OVAL test types: Table 5-3 OVAL Test vs. Use-Case Types

Test Access Token Test Active Directory Test Audit Policy Environment Variable Test environmentvariable58 Family Test File File audit Permission

Compliance X X X X X X X X

38

Vulnerability

Inventory

X X

X X

SECURITY CONTENT AUTOMATION PROTOCOL (SCAP) VERSION 1 VALIDATION PROGRAM TEST REQUIREMENTS (DRAFT)

File Audit Permission 53 File Effective Rights File Effective Rights 53 File Hash Test FileMD5 Test fileset_test fix_test Group SID Test Group Test inetd Test inetlisteningservers_test Interface Test isainfo_test LDAP Test line_test Lockout Policy Metabase Test oslevel_test package_test Partition Password Password Policy patch_test patch53_test patch54_test patch56_test plist_test Port Test Printer Effective Rights Process Test process58 Test Registry Test RegKey Audit Permission RegKey audit Permission 53 RegKey Effective Rights RegKey Effective Rights 53 RPM Info RPM Verify rpminfo_test runlevel SE Linux Boolean

X X X X X X X X X X

X X

X X X X X X

X X X

X

X X X X X X X X

X

X X X X X X X X X X X X X

39

X X

X

X

X

X

X

SECURITY CONTENT AUTOMATION PROTOCOL (SCAP) VERSION 1 VALIDATION PROGRAM TEST REQUIREMENTS (DRAFT)

Service Effective rights shadow Test shared Resource Sid Sid Test SID Test smf_test SQL Test sql57_test swlist_test text file content test textfilecontent54 Test UAC Test uname unknown test User Sid Test User Test User Test user_sid_55 Test Variable Test version_test Volume Test WMI Test wmi57 Test WUA Update Searcher Test xinetd Test XML File content test

X X X X X X X X X X X X X X X X X X X X X X X X

40

X

X X X

X

X X

X

X

X

X

SECURITY CONTENT AUTOMATION PROTOCOL (SCAP) VERSION 1 VALIDATION PROGRAM TEST REQUIREMENTS (DRAFT)

6.

Appendix A—Acronyms and Abbreviations

This appendix contains selected acronyms and abbreviations used in the publication. AI ARF

Asset Identification Asset Reporting Format

CCE CCSS CPE CVE CVSS

Common Configuration Enumeration Common Configuration Scoring System Common Platform Enumeration Common Vulnerabilities and Exposures Common Vulnerability Scoring System

DTR

Derived Test Requirements

FDCC FIRST

Federal Desktop Core Configuration Forum of Incident Response and Security Teams

ID IETF IR IT ITL

Identifier Internet Engineering Task Force Interagency Report Information Technology Information Technology Laboratory

NIST NSA NCP NVD NVLAP

National Institute of Standards and Technology National Security Agency National Checklist Program National Vulnerability Database National Voluntary Laboratory Accreditation Program

OCIL OMB OS OVAL

Open Checklist Interactive Language Office of Management and Budget Operating System Open Vulnerability and Assessment Language

PDF

Portable Document Format

RHEL RFC

Red Hat Enterprise Linux Request for Comment

SCAP SCAPVAL

Security Content Automation Protocol SCAP Validation tool

TMSAD

Trust Model for Security Automation Data

U.S. USGCB

United States United States Government Configuration Baseline

XCCDF XML

Extensible Configuration Checklist Document Format Extensible Markup Language 41

SECURITY CONTENT AUTOMATION PROTOCOL (SCAP) VERSION 1 VALIDATION PROGRAM TEST REQUIREMENTS (DRAFT)

42