Management and Security powered by Landesk

> Security > Patch and Compliance > Scanning > Secure Content Automation Protocol (SCAP)

Secure Content Automation Protocol (SCAP)

The Secure Content Automation Protocol (SCAP) was developed by the U.S. government's NIST organization to create a security-oriented operating system configuration checklist. For more information, see http://web.nvd.nist.gov/view/ncp/repository.

Ivanti® Management and Security can import SCAP data from many sources, including NIST, and then use that data to scan managed devices.

This SCAP support is licensed separately. Contact Ivanti sales for details.

Importing SCAP checklists

SCAP checklists consist of XML files stored within a ZIP or CAB file. You can download SCAP-validated checklist policies from http://web.nvd.nist.gov/view/ncp/repository. When you import a SCAP checklist, the SCAP filename becomes the vulnerability group name in Patch Manager. Each SCAP checklist ZIP or CAB should contain these files:

*-cpe-dictionary.xml

*-cpe-oval.xml

*-oval.xml

*-xccdf.xml

When importing SCAP checklists for the first time, make sure you've selected the Download SCAP scanner check box. You only need to do this once. The core server will reuse that scanner for other checklist scans.

To import SCAP data

1.Click Tools > Security and compliance > Patch and compliance.

2.Select Download SCAP scanner if this option hasn't been selected by someone doing an earlier import. If you aren't sure, you can go ahead and select this option.

3.Click the Import SCAP content toolbar button.

4.Browse for the SCAP data package ZIP or CAB file and select the platform the SCAP data package supports. There's no error checking for platform support, so make sure you select the right platform(s).

5.A successful import shows a green progress bar. A red progress bar indicates there was an error. You can view a log file from your most recent import here: %AppData%\Local\LANDesk\SCAPContent.log.

6.Once the import finishes, close the SCAP content import dialog box and in the tree, click Patch and compliance > Groups > Predefined groups > Security Content Automation Protocol. You will see a group that matches the filename you imported.

Scanning clients for SCAP vulnerabilities

When you import SCAP checklist data, the console creates a group for each checklist and adds these three items to that group:

1 Install SCAP scanner, benchmark files, and scan

2 View results

3 Overall score

The numbers that appear before each vulnerability indicate the order in which to execute them.

The 1 Install SCAP scanner, benchmark files, and scan group vulnerability contains three items:

Install SCAP scanner: Installs the SCAP scanner on the client.

Install <SCAP benchmark name> benchmark: Installs the SCAP data source XML files on the client.

Scan for <SCAP benchmark name> compliance: Runs the SCAP scanner and generates the SCAP results for the client, including scanning all the SCAP content definitions included in the View results group.

When you scan clients for SCAP checklist vulnerabilities, the SCAP scanner and relevant SCAP checklist data are copied to the client. The scanner runs, checking each SCAP vulnerability and logging the results to results.xml. Vulscan parses the results.xml file and reports vulnerability data back to the core server. The information is stored in inventory as vulnerability data.

You can run all three 1 Install SCAP scanner, benchmark files, and scan group steps at once by right-clicking that tree item in the left window pane and clicking Repair. If you've already run all three steps, and you're rechecking to see if the vulnerability is fixed, you can directly run the SCAP scan step in the vulnerability check by selecting 1 Install SCAP scanner, benchmark files, and scan group, and in the right pane right-clicking the scan step and clicking Repair. You can do this because the SCAP scanner and SCAP vulnerability checklist were installed by the original SCAP task for that vulnerability checklist.

To scan clients for SCAP vulnerabilities

1.Click Tools > Security and compliance > Patch and compliance.

2.In the Patch and compliance tree, click Groups > Predefined groups > Security Content Automation Protocol and the imported SCAP checklist you want.

3.Under the SCAP checklist, right-click 1 Install SCAP scanner, benchmark files, and scan group and click Repair.

4.Modify the task name if you want to and select Repair as a scheduled task. Click OK.

5.In the Scheduled tasks window, add targets to the task and run it.

Viewing SCAP vulnerability results

When the Install SCAP scanner, benchmark files, and scan task finishes running on managed devices, you can view the SCAP vulnerability data, which has two parts—the individual vulnerability results and the overall score.

To view SCAP vulnerability results

1.Run the Install SCAP scanner, benchmark files, and scan task on managed devices.

2.Click Tools > Security and compliance > Patch and compliance.

3. In the Patch and compliance tree, click Patch and compliance > Groups > Predefined groups > Security Content Automation Protocol, the imported SCAP vulnerability group that you want, and then click either 2 View results or 3 Overall score.

4.Filter the results by using the filter tools at the top of the results pane.

You can also check device results individually by right-clicking a device in the network view, clicking Inventory, and expanding the Detected Patch and Compliance Definitions tree item.

 


Was this article useful?    

The topic was:

Inaccurate

Incomplete

Not what I expected

Other