Name of Your Organization:

Institute for Information Industry — CyberTrust Technology Institute

Web Site:

http://www.iii.org.tw/

Adopting Capability:

Crystal Security Keeper (CSK)

Capability home page:

http://www.iii.org.tw/infor/2012/ctti/crystal/en/csk.html

General Capability Questions

Adoption Capabilities

If the functionality is available now, indicate "Yes." If it has been implemented but not released, indicate "Beta". If planned but not currently available, indicate "Planned". If there are no plans for a specific category, that section(s) is not included as part of the questionnaire below.

OVAL Definition Repository — Yes
OVAL Definition Evaluator — Yes
OVAL Results Consumer — Beta

Product Accessibility <AR_1.9>

Provide a short description of how and where your capability is made available to your customers and the public.

Crystal Security Keeper (CSK) is a solution to automate information security management and compliance security controls. Enterprises can monitor security risks and enforce security controls through reliable quantitative risk assessment generated by CSK-conducted association analysis, configuration profiling and vulnerability assessment. Customers who have interest in our product cloud should contact us to get the evaluation version.

Language Version Indication <AR_1.10>

Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content.

CSK supports primarily OVAL Version 5.10.

Capability Correctness Questions

Error Reporting <AR_2.1>

Indicate how a user who discovers an error in the capability’s use of OVAL can report the error.

Any reports on potential errors, missing elements or other questions can be submitted to the CSK technical support representative:

Joanna Lee
Email: joanna@iii.org.tw
Telephone: +886-2-6607-2047

Responding to Error Reports <AR_2.2>

Describe the approach to responding to the above error reports and how applicable fixes will be applied.

The CSK development team will check any error reports. If the error is a product issue, the CSK development team will fix and provide an update to our customers in a day to a week depending on the defect. If the error relates to OVAL schema or repository, CSK will also report to MITRE.

Documentation Questions

Adoption Documentation <AR_3.1>

Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Adoption for any customers.

CSK describes how to use the OVAL functionality to Vulnerability Database section in the product website at: http://www.iii.org.tw/infor/2012/ctti/crystal/en/csk.html

Language Support <AR_3.2>

List each supported component schema and specific OVAL Tests in those component schemas that are supported. (AR_3.2)

CSK’s agent works as a remote scanner that will collect the information at each endpoint. It supports windows-definitions-schema.xsd and linux-definitions-schema.xsd. Because the format has been verified with the SCAPVal tool, CSK supports all the Tests, Objects, States, or Variables in each OVAL items.

OVAL Content Error Reporting <AR_3.3>

Provide a copy, or directions to the location, of where the documentation describes the procedure by which errors in OVAL content may be reported for any OVAL content that is produced by the product.

Any user feedback such as error reports and feature requests are handled via our technical support representative:

Joanna Lee
Email: joanna@iii.org.tw
Telephone: +886-2-6607-2047

Content Validity Questions

Syntax Error Detection and Reporting <AR_4.1> <AR_4.2> <AR_4.3> <AR_4.4>

Indicate how the product or repository detects and reports syntax errors in any OVAL content that is consumed by the product or repository.

Users who find any content errors can report to our technical support representative. We will check our DB content and verify with the official OVAL Repository.

Type-Specific Capability Questions

Definition Evaluator Capability Questions

Content Transparency <AR_8.1> <AR_8.2>

Indicate how the product allows users to determine which OVAL Definitions are being evaluated and examine the details of those definitions.

CSK is an XCCDF and OVAL based scanner to assess Windows security configurations. It supports users not only to define the baseline with USGCB and MS-Baseline standard, users also can customize the baseline based on company security policies, and each baseline contains detail CCE and OVAL definition information. CSK combines the user configuration and the selected baseline in XML files and sent to the agent on each endpoint to run scan. The scanning result relates to the audit items and the baselines and are judged as "pass" or "fail" with detailed information.

Content Import Process Explanation <AR_8.3>

If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability.

CSK consumes the OVAL content at runtime. Users configure the audit items and select the baseline which is the XCCDF standard, and combine the related information to the agent to run scan.

Content Evaluation <AR_8.4> <AR_8.5> <AR_8.6> <AR_8.7>

Indicate how users can review the detailed results of evaluating an OVAL Definition on a target system.

CSK results will be judged as "pass" or "fail" as well as detailed description and information based on the selected baseline.

Users can view the human-readable results from the user interface, export the result to PDF or HTML format for distribution or download the results XML file from user interface.

Full OVAL Results <AR_8.8>

Indicate how users can review the full OVAL Results of the evaluation of an OVAL Definition on a target system.

The results are in XML format which follows the SCAP data stream collection will be saved locally. Users can download from the user interface. Or view from the product result interface which will be judged as "pass" or "fail" as well as detailed description and information based on the baseline selected.

Definition Repository Capability Questions

Unique IDs <AR_6.1> <AR_6.2> <AR_6.3>

Describe the process by which IDs are assigned and managed in the repository and how global uniqueness of IDs is ensured.

CSK maintains the OVAL repository locally; all are assigned with unique ID and cannot be modified. CSK OVAL repository use OVAL definition ID as the unique ID.

Content Versioning <AR_6.4>

Describe the process by which the versions of Definitions, Tests, Objects, States, and Variables are managed in the repository.

CSK OVAL repository has been updated by the CSK update. The OVAL definition will be incremented on each update.

The Tests, Objects, States, and Variables will reference to the OVAL ID with the latest version.

Standard References <AR_6.6> <AR_6.7> <AR_6.8>

Indicate how and when CVE-IDs, CCE-IDs, and CPE-IDs are used as references on OVAL Definitions in the repository.

CSK maintains the CVE and CCE DB locally using CCE ID and CVE ID as their unique key, and maintains CPE dictionary XML files by platforms locally. Users define baselines based on the USGCB and MS-Baseline which contains CPE, OVAL, XCCDF and Patch file which reference to CCE-, CVE-, and CPE-IDs.

Content Updates <AR_6.9>

Describe the process by which users can retrieve content updates.

CSK maintains an update server which has the update mechanism to keep the CVE, OVAL AND CCE DB up-to-date.

CSK provides the user interface for user to update the database manually. But currently users can’t retrieve the content from the user interface. Users that want the content should contact our technical support representative:

Joanna Lee
Email: joanna@iii.org.tw
Telephone: +886-2-6607-2047

Results Consumer Capability Questions

Examine Imported Content <AR_9.1> <AR_9.2>

Indicate how users can review OVAL Results that are imported into the product and explain how users can determine which system a particular set of results applies to.

CSK supports the consumption of OVAL definitions at runtime or import auditing results from user interface in controller.

If consumed at runtime, the CSK agent access with the baseline and sends back the auditing result which contains the OVAL results in XML format when agent finishes the comparison. And show the content from GUI in human-readable format (statistics, charts, list, ranking, and detailed description).

If imported form the user interface, the user also needs to select the baseline to compare with, it will have the same display as the runtime result. The only condition is that the imported results have to follow the XCCDF standard.

Users can compare the results with the original XML files.

Content Import Process Explanation <AR_9.3>

If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability.

CSK supports consuming OVAL content at runtime; CSK constructs CCE, OVAL, AND CVSS content database along with installation process.

When scanning active at each endpoint, scanner will compare with the baseline which is XCCDF format and contains OVAL reference files sending by the controller. The scanning result will be saved in XML file format for distribution.

When not consumed at runtime, CSK controller also provides an interface to import the auditing result which is an XCCDF standard results XML file and compares with the selected baseline(contains the OVAL content).

Either consume at runtime or import from user interface, CSK controller will display the human-readable result as long as the OVAL result is in the standard format. The results also support user to export in HTML or PDF format for viewing.

Adoption Signature

Questions for Signature

Statement of Adoption <AR_1.2>

"As an authorized representative of my organization I agree that we will abide by all of the mandatory adoption requirements as well as all of the additional mandatory adoption requirements that are appropriate for our specific type of capability."

NAME: SHIH JEN, CHEN
TITLE: Section Manager

Statement of Accuracy <AR_1.2>

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability’s use of the OVAL Language and the interpretation of the logic."

NAME: SHIH JEN, CHEN
TITLE: Section Manager

Statement on Follow-On Correctness Testing Support <AR_1.7>

"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."

NAME: SHIH JEN, CHEN
TITLE: Section Manager

Page Last Updated: February 19, 2013