Compatibility Questionnaire: KACE Networks, Inc. (KBOX 1000 Series Systems Management Appliances) — Archive

Important: The OVAL Compatibility Program was moved to "archive" status in December 2009, and replaced with the "OVAL Adoption Program." Under the OVAL Adoption Program product validation is performed by an external organization, allowing the OVAL Team to focus on educating vendors on best practices regarding the use and implementation OVAL and on how OVAL can continue to evolve as needed by the community.

Refer to the OVAL Adoption Program section for addition information and to review all products and services listed.

Organizational Information

Name of Your Organization:

KACE Networks, Inc.

Web Site:

Product Information

Product/Service Name:

KBOX 1000 Series Systems Management Appliances

Compatible Categories:

OVAL Definition Consumer

Product/Service Home Page:

General Capability Questions

Product Accessibility

Provide a short description of how and where your capability is made available to your customers and the public:
The KBOX 1000 Series is available through authorized KACE partners and
Directly from KACE. For more information, see http://www.kace.com or call
(888) 522-3638.
Accuracy Questions

Language Version Indication

Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content:

KBOX 1000 Series appliances contact kace.com nightly for updates to the OVAL Definition and engine files. These files are downloaded and processed by each deployed KBOX 1000 Series appliance. Any changes are pushed out automatically to the client nodes.

The first page viewed when logging into the Admin UI is a summary of the current status of the KBOX. Included on this page is the OVAL Schema information including:

- Last successful download
- Total OVAL tests
- OVAL schema version
- OVAL schema timestamp

Approach for Correction of Errors

Indicate how a user who discovers an error in the capability's use of OVAL can report the error:
Errors can be reported to our support organization (support@kace.com)
where it can be reviewed and reproduced.
Describe the approach to responding to the above error reports and how applicable fixes will be applied:
Corrections to the data definitions or the evaluation engine will be
addressed and after testing, deployed via the automatic nightly download
from kace.com.
Documentation Questions

Compatibility Documentation

Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Compatibility for any customers:

From the Administrator’s Guide to KBOX 2.1 manual, Chapter 8, Security Module Overview:

The KBOX Security Enforcement and Audit Module uses Open Vulnerability and Assessment Language (OVAL), an internationally recognized standard for detecting security vulnerabilities and configuration issues on computer systems. OVAL is compatible with the Common Vulnerabilities and Exposures (CVE) list, which provides common names used to describe known vulnerabilities and exposures. The ability to describe vulnerabilities and exposures in a common language makes it easier to share security data with other CVE-compatible databases and tools.

About OVAL and CVE

OVAL relies on definitions submitted by members of the security community on the Community Forum, by MITRE Corporation, or by the OVAL Board, to detect vulnerabilities on your network. OVAL uses the vulnerabilities on the CVE List as the basis for most of its definitions. CVE content is determined by the CVE Editorial Board, which is composed of experts from the international information security community. Any new information about a vulnerability that is uncovered as a result of discussions on the Community Forum are sent to the CVE Initiative for possible addition to the list. For more information about CVE visit http://cve.mitre.org. OVAL definitions pass through a series of phases before being released. Depending on where a definition is in this process, it will likely be assigned a status of DRAFT, INTERIM, or ACCEPTED. Other possible values for status are Initial Submission and Deprecated. For more information about the stages of OVAL definitions, visit http://oval.mitre.org/about/stages.html.

Language Support

Indicate the component schemas and/or individual OVAL Tests that the capability does not support for each category of OVAL Compatibility being applied for:
N/A
Capability Specific Questions

Finding Elements Using OVAL

Provide details regarding how users can identify and find individual OVAL content (through OVAL-IDs) that is being consumed by the capability. For example, how can a user determine which definitions have been consumed and what the result of each definition is:

The KBOX user interface is extremely intuitive. To view the list of OVAL definitions, click the Security button at the top of the UI, then select the OVAL Tests tab. The following image describes the OVAL Test tab contents:

The KBOX 1000 Series user interface is extremely intuitive. To view the results of OVAL scans, click the Security button at the top of the UI, then select the "OVAL Reports" tab. The following image describes the OVAL Reports tab contents:

By clicking on an individual test description, you can see detailed information regarding that specific OVAL test including which machines on your network have failed the test.

OVAL Content Importation Process Explanation

If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability:
Customers can e-mail specific definitions to our support organization (support@kace.com) where they are tested and reviewed for inclusion in the general definition distribution which can be updated nightly through kace.com.
Statements

Statement of Compatibility

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory Compatibility Requirements as well as all of the additional mandatory Compatibility Requirements that are appropriate for our specific type of capability."

Name:   Dave Kloba
Title:   VP Engineering

Statement of Accuracy

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability's use of OVAL schema and logic."

Name:   Dave Kloba
Title:   VP Engineering

Statement on Follow-on Correctness Testing Support

Have an authorized individual sign and date the following statement about your organizations willingness to support correctness testing of other capabilities, which will be managed by the Reviewing Authority and kept to reasonable levels of effort for all involved. (required):

"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."

Name:   Dave Kloba
Title:   VP Engineering

Page Last Updated: December 17, 2009