Name of Your Organization:

SPAWAR Systems Center Atlantic

Web Site:

http://www.public.navy.mil/spawar/Pages/default.asp

Adopting Capability:

SCAP Compliance Checker (SCC)

Capability home page:

http://www.public.navy.mil/spawar/Atlantic/ProductsServices/Pages/SCAP.aspx

Adoption Capabilities

If the functionality is available now, indicate "Yes." If it has been implemented but not released, indicate "Beta". If planned but not currently available, indicate "Planned". If there are no plans for a specific category, that section(s) is not included as part of the questionnaire below.

OVAL Systems Characteristics Producer - Yes
OVAL Definition Evaluator – Yes
OVAL Results Consumer – Yes

Product Accessibility <AR_1.9>

Provide a short description of how and where your capability is made available to your customers and the public.

The software is available to any government or contractor by emailing ssc_lant-scc@navy.mil. When emails are received, valid users are provided a private download URL via the Army hosted SAFE (Safe Access File Exchange) https://safe.amrdec.army.mil/SAFE2/.

For Department of Defense users with a valid Common Access Card (CAC), the software is available for download at http://iase.disa.mil/stigs/scap/index.html.

Language Version Indication <AR_1.10>

Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content.

The about screen of the application and the documentation indicate the version of OVAL supported with each release.

Error Reporting <AR_2.1>

Indicate how a user who discovers an error in the capability’s use of OVAL can report the error.

Per the applications documentation, bugs are to be reported to ssc_lant-scc@navy.mil.

Responding to Error Reports <AR_2.2>

Describe the approach to responding to the above error reports and how applicable fixes will be applied.

The ssc_lant-scc@navy.mil mailbox is reviewed daily and bugs are reported to our internal bug tracking system. If the bug is critical enough to warrant a bug-fix release, updates will be made, tested and released. If the bug is not critical, the updates will be rolled into our next major/minor software release.

Adoption Documentation <AR_3.1>

Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Adoption for any customers.

The following documents contain sections which explain our OVAL implementation:

Sections:
A.3.6 OVAL IMPLEMENTATION
A.4 OVAL Probes Supported by SCC 3.1.1 for <Platform>

Files:
SCC_UserManual.pdf
SCC_Help.chm SCC_UserManual_Solaris.pdf
SCC_UserManual_RHEL.pdf
SCC_UserManual_Debian.pdf
SCC_UserManual_OSX.pdf

Language Support <AR_3.2>

List each supported component schema and specific OVAL Tests in those component schemas that are supported. (AR_3.2)

apache-definitions-schema.xsd

• httpd

independent-definitions-schema.xsd

• environmentvariable
• environmentvariable58
• family
• filehash
• filehash58
• ldap
• sql
• sql57
• textfilecontent
• textfilecontent54
• variable
• xmlfilecontent

linux-definitions-schema.xsd

• dpkginfo
• inetlisteningservers
• partition
• rpminfo
• rpmverify
• rpmverifyfile
• rpmverifypackage
• selinuxboolean
• selinuxsecuritycontext

macros-definitions-schema.xsd

• accountinfo
• diskutil
• inetlisteningserver
• inetlisteningserver510
• nvram
• plist
• plist510
• pwpolicy
• pwpolicy59

solaris-definitions-schema.xsd

• isainfo
• ndd
• package
• packagecheck
• patch
• patch54
• smf

windows-definitions-schema.xsd

• accesstoken
• activedirectory
• activedirectory57
• auditeventpolicy
• auditeventpolicysubcategories
• cmdlet
• dnscache
• file
• fileauditedpermissions53
• fileeffectiverights53
• group
• group_sid
• interface
• lockoutpolicy
• metabase
• passwordpolicy
• port
• printereffectiverights
• process
• process58
• registry
• regkeyauditedpermissions53
• regkeyeffectiverights53*
• service
• serviceeffectiverights
• sharedresource
• sid
• sid_sid
• uac
• user
• user_sid55
• usersid
• volume
• wmi
• wmi57
• wuaupdatesearcher

unix-definitions-schema.xsd

• file
• fileextendedattribute
• interface
• process
• process58
• routingtable
• sysctl
• uname

List any core constructs defined in the OVAL Language that are not supported. (AR_3.2)

• None

OVAL Assessment Method <AR_3.3>

List each supported assessment method if applicable. (AR_3.3)

Assessment of state by a host-based sensor.
Assessment of state by a remote-scanning sensor, for Windows to Windows only.

OVAL Content Error Reporting <AR_3.4>

Provide a copy, or directions to the location, of where the documentation describes the procedure by which errors in OVAL content may be reported for any OVAL content that is produced by the product.

SCC performs certain error handling functions to ensure that the OVAL content is properly created, and logs errors to SCC's error log when issues occur.

In SCC's Frequently Asked Questions, we explain to users how to report issues to content authors, however, as most end users may not know the difference between content and system/application errors, we also suggest the report the errors to us for troubleshooting. See FAQ's 9.7-9.9 for details.

Syntax Error Detection and Reporting <AR_4.1> <AR_4.2> <AR_4.3> <AR_4.4>

Indicate how the product or repository detects and reports syntax errors in any OVAL content that is consumed by the product or repository.

SCC has the capability of performing XML Schema validation before each usage of content. If errors are detected, they are printed to the screen and to an errorlog.

Additionally, SCC performs several content completeness and syntax checks at content runtime to ensure definitions, tests, objects and variables that are used exist, and SCC reports errors if the content is missing any core requirements.

Content Transparency <AR_8.1> <AR_8.2>

Indicate how the product allows users to determine which OVAL Definitions are being evaluated and examine the details of those definitions.

SCC's XML transforms for prose reports include details which list all of the OVAL Definitions, tests, objects, and states that will be evaluated.

Additionally, SCC result report transforms provide details of OVAL Definitions, tests, and objects in a tree structure format.

Content Import Process Explanation <AR_8.3>

If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability.

GUI:

Edit -> OVAL Content
Click Install OVAL content
Select the OVAL XML file, or a zip file containing OVAL XML files

 CLI:

 ./cscc -iv

Content Evaluation <AR_8.4> <AR_8.5> <AR_8.6> <AR_8.7>

Indicate how users can review the detailed results of evaluating an OVAL Definition on a target system.

SCC's XML transforms for result reports include details which list all of the OVAL Definitions, tests, objects, and states that have been evaluated.

1. Install OVAL content
2. Enter target computer name
3. Enable OVAL Content analysis
4. Scan computer
5. View HTML or Text reports

Full OVAL Results <AR_8.8>

Indicate how users can review the full OVAL Results of the evaluation of an OVAL Definition on a target system.

1. Install OVAL content
2.  Enter target computer name
3.  Enable OVAL Content analysis
4.  Scan computer
5.  View the full OVAL XML results

Examine Imported Content <AR_9.1> <AR_9.2>

Indicate how users can review OVAL Results that are imported into the product and explain how users can determine which system a particular set of results applies to.

SCC has the ability to generate HTML and Text based reports from pre-existing OVAL results.

GUI:

1. Results -> Generate Detailed OVAL Reports
2. Select Source and Destination Directories
3. Select Desired Reports

SCC then creates reports on a per-computer based on the oval_system_characteristics data.

Content Import Process Explanation <AR_9.3>

If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability.

GUI:

Edit -> OVAL Content
Click Install OVAL content
Select the OVAL XML file, or a zip file containing OVAL XML files

CLI:

./cscc -iv

Collecting System Data <AR_5.2> <AR_5.3>

Explain the criteria used to collect system data that is included in an OVAL System Characteristics document.

SCC uses a collection of platform specific system API's and command line applications to collect the system characteristics data.

Content Export <AR_5.2> <AR_5.3>

Indicate how the product allows users to export OVAL System Characteristics documents.

SCC creates full OVAL XML results including OVAL System Characteristics each time a computer is reviewed using OVAL content.

Adoption Signature

Statement of Adoption <AR_1.2>

"As an authorized representative of my organization I agree that we will abide by all of the mandatory adoption requirements as well as all of the additional mandatory adoption requirements that are appropriate for our specific type of capability."

NAME: Jack Vander Pol
TITLE: Project Manager

Statement of Accuracy <AR_1.2>

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability’s use of the OVAL Language and the interpretation of the logic."

NAME: Jack Vander Pol
TITLE: Project Manager

Statement on Follow-On Correctness Testing Support <AR_1.7>

"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."

NAME: Jack Vander Pol
TITLE: Project Manager