Compatibility Questionnaire: MMG Security, Inc. — Archive

Important: The OVAL Compatibility Program was moved to "archive" status in December 2009, and replaced with the "OVAL Adoption Program." Under the OVAL Adoption Program product validation is performed by an external organization, allowing the OVAL Team to focus on educating vendors on best practices regarding the use and implementation OVAL and on how OVAL can continue to evolve as needed by the community.

Refer to the OVAL Adoption Program section for addition information and to review all products and services listed.

Organizational Information

Name of Your Organization:

MMG Security, Inc.

Web Site:

Product Information

Product/Service Name:

Sussen 1.0

Compatible Categories:

OVAL Systems Characteristics Producer
OVAL Systems Characteristics Consumer
OVAL Definition Consumer
OVAL Results Producer
OVAL Results Consumer

Product/Service Home Page:

General Capability Questions

Product Accessibility

Provide a short description of how and where your capability is made available to your customers and the public:
Sussen is available for download from our web site (http://dev.mmgsecurity.com/projects/sussen/) under the terms of the GNU General Public License (GPL).
Accuracy Questions

Language Version Indication

Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content:

The reports generated by the program include the schema version, timestamp and name/version of the product that created the definitions, system characteristics, and results.

Approach for Correction of Errors

Indicate how a user who discovers an error in the capability's use of OVAL can report the error:

We maintain a public bug database that people can use to report issues with our software. The database is available at:

http://dev.mmgsecurity.com/bugs/

Describe the approach to responding to the above error reports and how applicable fixes will be applied:

Once we have confirmed the bugs(s), we work with the bug reporter to test our fix(es). When we have a working fix we will make a new release available. Any bugfixes are noted in the release notes by ID in case people want to read more about the issue(s).

Users can then download and update their versions.

Documentation Questions

Compatibility Documentation

Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Compatibility for any customers:

The documentation on OVAL and OVAL compatibility is available with the software. In Windows it's in our help file and for Linux it's available in the Sussen. Oval man page.

Language Support

Indicate the component schemas and/or individual OVAL Tests that the capability does not support for each category of OVAL Compatibility being applied for:
The following are not currently supported in Sussen:

UNIX sccs_test
Cisco IOS, HP-UX, Apple Macintosh, Sun Solaris tests
External variables

Capability Specific Questions

Finding Elements Using OVAL

Provide details regarding how users can identify and find individual OVAL content (through OVAL-IDs) that is being consumed by the capability. For example, how can a user determine which definitions have been consumed and what the result of each definition is:

The command line programs either output the results in XML or HTML format. That allows the user to see what definitions were consumed and the results.

You can also view the collected data and results from the reports section in the web console.

OVAL Content Importation Process Explanation

If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability:
N/A. Sussen can consume OVAL content at runtime.
Statements

Statement of Compatibility

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory Compatibility Requirements as well as all of the additional mandatory Compatibility Requirements that are appropriate for our specific type of capability."

Name:   Loren Bandiera
Title:   Lead Developer, Sussen Project

Statement of Accuracy

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability's use of OVAL schema and logic."

Name:   Loren Bandiera
Title:   Lead Developer, Sussen Project

Statement on Follow-on Correctness Testing Support

Have an authorized individual sign and date the following statement about your organizations willingness to support correctness testing of other capabilities, which will be managed by the Reviewing Authority and kept to reasonable levels of effort for all involved. (required):

"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."

Name:   Loren Bandiera
Title:   Lead Developer, Sussen Project

Page Last Updated: December 17, 2009