OVAL - Compatibility Questionnaire: KACE (KBOX IT Management Suite 2.0)

Compatibility Questionnaire: KACE (KBOX IT Management Suite 2.0) — Archive

Important: The OVAL Compatibility Program was moved to "archive" status in December 2009, and replaced with the "OVAL Adoption Program." Under the OVAL Adoption Program product validation is performed by an external organization, allowing the OVAL Team to focus on educating vendors on best practices regarding the use and implementation OVAL and on how OVAL can continue to evolve as needed by the community.

Refer to the OVAL Adoption Program section for addition information and to review all products and services listed.

General Capability Questions | Accuracy Questions | Documentation Questions | Capability Specific Questions

Organizational Information

Name of Your Organization:

KACE

Web Site:

http://www.kace.com

Product Information

Product/Service Name:

KBOX IT Management Suite 2.0

Compatible Categories:

OVAL Definition Consumer

Product/Service Home Page:

http://www.kace.com/products/

General Capability Questions

Product Accessibility

Provide a short description of how and where your capability is made available to your customers and the public (required):

The KBOX IT Management Suite by KACE is a secure server appliance that automates routine and complex IT maintenance tasks improving IT productivity and security. Included in the KBOX IT Management Suite is the KBOX Security Enforcement and Audit Module which provides vulnerability auditing through seamlessly integrating OVAL tests and reporting on the outcomes at both the individual node and aggregate network levels. KBOX IT Management Suite is also searchable by OVAL-ID. In addition, security policies can be set and enforced through automatic remediation and, if necessary, node quarantine to prevent security breaches and/or network infections.

The KBOX is available through authorized KACE partners and directly from KACE. For more information, see http://www.kace.com or call (888) 522-3638.

Accuracy Questions

Schema Currency Indication

Describe how and where your capability indicate the OVAL Schema used to create or update its contents and/or results (required):

KBOX contacts kace.com nightly for updates to the OVAL Definition and engine files. These files are downloaded and processed by each deployed KBOX appliance. Any changes are pushed out automatically to the client nodes.

The first page viewed when logging into the Admin UI is a summary of the current status of the KBOX. Included on this page is the OVAL Schema information including:

Last successful download
Total OVAL tests
OVAL schema version
OVAL schema timestamp

The following screen shot shows what this summary looks like on the KBOX:

Schema Currency Update Approach

Indicate how often you plan on updating content to reflect new OVAL Schema versions and describe your approach to keeping reasonably current with schema versions (recommended):

KACE monitors the OVAL website for updated OVAL content on a daily basis. This information is then processed and reviewed by our internal security teams before being released for automatic retrieval by the KBOX appliance. The changes can contain both updates to the definition files as well as to the core evaluation engine. These can be updated as frequently as necessary to support future changes in the data definitions and capabilities.

Platform and Definition Type Support

Indicate which platforms and definition types for those platforms that your capability supports for each category of OVAL compatibility your capability supports (required):

We support the Core and Windows Definition Schemas.

Approach for Correction of Errors

Indicate how someone who discovers an error in your capabilities use of OVAL can report the error and describe your approach to responding to such reports and applying fixes (required):

Errors can be reported to our support organization where it can be reviewed and reproduced. Corrections to the data definitions or the evaulation engine will addressed and deployed after testing via the automatic nightly download from kace.com.

Documentation Questions

Compatibility Documentation

Provide a copy, or directions to its location, of where your documentation describes OVAL, OVAL compatibility and/or OVAL-ID compatibility for your customers (required):

From the Administrator's Guide to KBOX 2.1 manual, Chapter 3, Security Module Overview:

The KBOX Security Enforcement and Audit Module uses Open Vulnerability and Assessment Language (OVAL), an internationally recognized standard for detecting security vulnerabilities and configuration issues on computer systems. OVAL is compatible with the Common Vulnerabilities and Exposures (CVE) list, which provides common names used to describe known vulnerabilities and exposures.

The ability to describe vulnerabilities and exposures in a common language makes it easier to share security data with other CVE-compatible databases and tools.

About OVAL and CVE

OVAL relies on definitions submitted by members of the security community on the Community Forum, by MITRE Corporation, or by the OVAL Board, to detect vulnerabilities on your network. OVAL uses the vulnerabilities on the CVE List as the basis for most of its definitions. CVE content is determined by the CVE Editorial Board, which is composed of experts from the international information security community.

Any new information about a vulnerability that is uncovered as a result of discussions on the Community Forum are sent to the CVE Initiative for possible addition to the list. For more information about CVE visit http://cve.mitre.org.

OVAL definitions pass through a series of phases before being released. Depending on where a definition is in this process, it will likely be assigned a status of DRAFT, INTERIM, or ACCEPTED. Other possible values for status are Initial Submission and Deprecated. For more information about the stages of OVAL definitions, visit http://oval.mitre.org/about/stages.html.

Documentation of Finding Elements Using OVAL

Provide a copy, or directions to its location, of where your Documentation describes the specific details of how your customers can find individual security elements in the capability's repository by using OVAL definitions and/or how the user can find them elsewhere through the use of OVAL-IDs (required):

From the Administrator's Guide to KBOX 2.1 manual, Chapter 3, Oval Tests:

OVAL Tests

KBOX checks nightly for updates to the list of available OVAL definitions. Definitions are displayed on the

OVAL Tests tab, along with their associated OVAL ID and CVE Number. Search for a specific OVAL test by operating system, vulnerability, or by OVAL ID or CVE Number.

To view the list of OVAL definitions, click the Security button, then select the OVAL Tests tab.

Documentation of Finding Results Information from Elements

Provide a copy, or directions to its location, of where your documentation describes how the user can obtain information in the OVAL Results Schema from individual elements in the capability's repository (required):

From the Administrator's Guide to KBOX 2.1 manual, Chapter 3, Oval Reports:

OVAL Reports

The OVAL Reports tab displays a list of all of the OVAL Tests that have been run. At a glance, you can see which OVAL Tests failed and the number of computers that failed each OVAL test.

From the test detail view, you can see all of the computers that failed that OVAL Test and you can assign a label to those machines so that you can patch them at a later time.

Documentation Indexing of OVAL-Related Material

If your documentation includes an index, provide a copy of the items and resources that you have listed under "OVAL" in your index. Alternately, provide directions to where these "OVAL" items are posted on your web site (recommended):

The Administrator's Guide to KBOX 2.1, Chapter 3 contains information on OVAL and the use of OVAL within the KBOX. This guide is available to all KBOX customers electronically. In addition, there are a context sensitive descriptions within the KBOX.

Capability Specific Questions

OVAL Definition Consumer

Configuration and Software Usage Explanation

If your capability does not use both the configuration and software sections of definitions where do you describe to your customers how your capability deviates from the logic of the definitions that have both sections (required):

KBOX uses both the configuration and software sections of the definitions.

OVAL Definition Information Process Explanation

If your capability does not support consuming OVAL Definitions at runtime explain where you have documented the process by which customers can submit OVAL Definitions for interpretation by the capability, including how quickly Definitions submitted are made available to the capability in use by your customers (required):

Customers can e-mail specific definitions to our support organization where they are tested and reviewed for inclusion in the general definition distribution which can be updated nightly through kace.com.

OVAL-ID Output and Searchable

Finding Elements Using OVAL-ID

Give detailed examples and explanations of how a user can locate security elements in the capability by looking for their associated OVAL-ID(s) (required):

The KBOX user interface is extremely intuitive. To view the list of OVAL definitions, click the Security button at the top of the UI, then select the OVAL Tests tab. The following image describes the OVAL Test tab contents:

Finding OVAL-ID Using Elements in Reports

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated OVAL-IDs for the individual security elements in the report (recommended):

By clicking on an individual test description, you can see detailed information regarding that specific OVAL test including which machines on your network have failed the test.

Questions for Signature

Statement of Compatibility

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory Compatibility Requirements as well as all of the additional mandatory Compatibility Requirements that are appropriate for our specific type of capability."

Name:		David Kloba
Title:		VP Engineering

Statement of Accuracy

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability's use of OVAL schema and logic."

Name:		David Kloba
Title:		VP Engineering

Statement on Follow-on Testing Activity Support

Have an authorized individual sign and date the following statement about your organizations willingness to support correctness testing of other capabilities, which will be managed by the Reviewing Authority and kept to reasonable levels of effort for all involved. (required):

"As an authorized representative of my organization, we agree to support the Reviewing Authority in follow-on testing activities, where appropriate types of files will be exchanged with other organizations attempting to prove the correctness of their capabilities."

Name:		David Kloba
Title:		VP Engineering

Page Last Updated: December 17, 2009

Items of Interest

Compatibility Archive