The Security Controls Auditor (SCA) product enables organizations to quickly and easily assess and remediate many of the 800-53 and 800-171 security controls using the definitive guidance provided by the Federal Government and Department of Defense. While some security controls require manual evaluation (such as those related to written policies), many checks can be automated. Fortunately, standards exist to help with this.
These standards have been developed by the National Institute of Standards and Technology (NIST), the National Security Agency (NSA), Defense Information Systems Agency (DISA), the MITRE Corporation, and industry participants over the course of several years. The series of standards are referred to as the Security Content Automation Protocol (SCAP) and represent standard ways to identify and detect the security compliance and vulnerability posture of networked devices. The National Vulnerability Database at NIST is the clearinghouse for SCAP content and information. Details can be found at: http://nvd.nist.gov/
ThreatGuard's line of security products embodies this shift towards standards and rewards customers with significant time savings and accuracy improvements over non-standard and manual solutions.
It's all about the content. In the past, government and commercial organizations were provided written documentation that described how computers were to be securely configured. To help automate that process, vendors created proprietary tools that approximated the settings in the documents. Each vendor had their own way to test for compliance and they rarely produced the same results.
With SCAP, the regulatory agencies can now provide their compliance documentation in a standard format that can be used directly by security products. Products that properly adhere to the standards can now consume the same content and produce the same results. Organizations can now acquire compliance software based on the features they provide rather than how well they approximate the security guidance.
Now that we have standard security content, the mapping to security controls enables organizations to tailor this content to their needs without compromising security. 800-53 provides an extensive and comprehensive list of security controls. These controls are required for use by federal agencies. 800-171 outlines a process called “tailoring” that reduces this list of controls to those necessary for nonfederal organizations to protect Controlled Unclassified Information (CUI).
Windows Desktop or Server Computer or Virtual Machine
256MB available RAM recommended, 1GB for Multiview
50 MB Hard Drive space
After installing SCA, double-click on its desktop icon to launch the product. If the product has not been activated, a warning message will be displayed as seen in Figure 1. Click on the “OK” button to continue. The product will not perform security controls assessments or remediation until it has been active. Activation is performed by applying a license key to the product. This key may be obtained by contacting the ThreatGuard Sales Team or by requesting a quote from the ThreatGuard website. Larger quantities with significant volume discounts can be purchased by contacting a ThreatGuard sales representative at (888) 623-2884.
Once you have obtained a key, the Product Activation tool can be launched by selecting the "License Activation" item from the "Application" menu of by holding down the “Ctrl” key and pressing the “l” key. Click the “Install Key” button to display the “Enter Activation Key” panel. Type the Activation key into the box provided or copy (highlight the key then press and hold the "Ctrl" and press the "c" key) and paste (click into the Activation Key box then press and hold the "Ctrl" key and press the "v" key) the purchased Activation Key. Press the "OK" button to display the product license agreement. If you agree with the license agreement, press the "Accept" button. If you do not accept the license agreement, press the "Decline". If the license agreement is declined, the product will not operate. If you accept the license agreement, press the "Done" button to close the activation window. Restart SCA now to take full advantage of the newly unlocked product.
SCA includes an automatic upgrade capability to keep the application and content files updated. By default, the application will check for updates once per day. If updates are available, they are downloaded and the user is prompted to have the updates automatically installed. Modification of the auto-update behavior is done using the Options widget in the Application menu.
To force SCA to check for updates, select the Check for Updates item in the Application menu (or press “Ctrl” then press “u”). This utility connects to the ThreatGuard, Inc. website to determine if application or content updates are available. If they are, they will be downloaded and the user will be prompted to have the updates automatically installed.
Note: The application installers available from the download section of the ThreatGuard web site also allow for safe updates. That is, they will update the application without changing any user settings.
By Default, SCA connects to the ThreatGuard website to download updates. A local update server can be configured to override this behavior. If an organization wishes to create their own update server, please contact ThreatGuard for instructions. The Options widget that is available from the Application menu includes a “custom” field that will accept a local update server URL.
Before performing assessments, the user can choose if they wish to use 800-53 security controls or tailored 800-171 controls. To use 800-53 controls, select the “SP 800-53” option. To select 800-171, select the “SP 800-171” option. SP 800-171 defines a tailoring method which allows the user to choose the options that apply to their organization. This generally results in a subset of the 800-53 controls being use for the assessment. If you are unclear as to what the four tailoring options mean, click on the “Wizard” button to walk through the definition of each option to help you select the correct tailoring method.
The tree of security controls and rules that are displayed is determined by the 800-53 or 800-171 tailoring that is selected. In the example in Figure 2, the “AU-12: Audit Generation” is the security control category and the list of rules below it are automated checks that are used to test the security control. Security controls can have sub-controls that provide additional granularity such as “AU-12c”.
Individual rules may be deselected (or reselected) by left clicking on the rule (to highlight it) then pressing the right mouse-button to access the context menu. Only rules that are selected will be assessed and remediated.
The SCA interface operates in two modes: Evaluate and Remediate. In Evaluate mode, those items that have a black "X" next to them in the tree will be evaluated for compliance. Those without a black "X" will not. In remediation mode, there are more types of icons next to checklist items.
The green check indicates the item passed the compliance check
The black circle indicates the rule wasn't selected for assessment or that it didn't apply to the current computer being assessed.
The red "X" indicates the item failed the compliance check
The black "?" indicates an OVAL check does not exist for a rule
The black "!" indicates an error processing a rule
After an assessment is run, SCA contains three areas that show status or findings. Directly below the tree is an indicator that shows the total number of security controls that were selected. Below and to the right of the tree is the summary scoring indicator. This lists the total number of checks that passed and failed, and a percentage of the total items that passed. Finally, on the bottom left of the screen is the progress indicator. While assessment and remediation activities are taking place, this is updated to show the current item being assessed or fixed.
The Details and Results panels are located on the bottom of the window. These panels display useful information about each item in the tree.
Details tab - provides the rule identifier, a detailed description of the selected item, and when available, recommended fix action (for use in manual configuration or GPO creation).
Results tab - provides metadata generated by the OVAL assessment engine during processing. This information is very useful in analyzing the logic behind an assessment result.
When you are satisfied with the list of items selected, click the "Go!" button. This will start the assessment process. Progress will be shown in the bottom status indicator. When the assessment is complete, the status indicator will read "Action Complete" and the red “Remediate” button will appear.
NOTE: The operating mode of SCA is controlled by clicking on the left button on the bottom right of the window. When the button is green and reads “Evaluate”, the product is in assessment mode. When it is red and reads “Remediate” it is in remediation mode. The “Go!” button will kick off an assessment or a remediation of the system depending on the status of the operating mode button.
NOTE: You are strongly encouraged to test remediation on a non-critical system before attempting it on an operational computer
Once an assessment is performed, SCA automatically switches to Remediate mode. In this mode, the system will attempt to modify items that appear with a red "X" to conform to the configuration requirements defined by each security check. Items can be deselected to prevent them from being modified by the remediation system. When in Remediate mode, press the “Go!” button to begin the remediation process.
You are advised to reboot your system after remediation occurs. This will ensure that all modified items are operating with their modified settings. Be aware the remediation changes the local configuration of the computer. In an Active Directory managed environment, these settings may be overwritten by GPOs.
The remediation actions the SCA takes are automatically generated from the driving SCAP benchmarks. This means that remediation can be performed for any benchmark, but there are also some limitations to this system. For example, there are certain classes of items that SCA will not attempt to automatically fix, such as renaming user accounts, adding/removing software, and patch management, or tests where the setting cannot be reliably generated such as where the expected value is a pattern match. It also means that the remediation actions are only as accurate as the content from which it is generated.
NOTE: By default, SCA suppresses certain rules because they cannot be reliably remediated or can cause problems for the user if they are remediated (like renaming the administrator account). These rules are listed in the file “SuppressedChecks.xml” in the SCA installation directory. If the user wishes to disable this, select the “Options” item from the Application menu and check the “Show suppressed security controls” checkbox.
To get an idea of what actions will be taken during remediation as well as which items for which automatic remediation will not happen, run the Remediation Fix Actions report from the Remediation menu. This will show the expected action to take to fix each rule and any rule marked as “manual” means that Secutor Prime will not attempt to perform remediation.
When using SCA to perform remediation, a history of the original value for each item changed will be saved in a local file and marked with a timestamp. Only items selected for remediation and for which a fix action is successful will be saved in the file. This remediation history can then be used to restore one or all changes made to the target system.
This file is created in the restore directory of the SCA application directory and given a name based on the IP address and hostname of the target computer. If that information has changed on the target computer then SCA will not be able to locate the proper history file. For that reason this capability is most reliable when used for the local computer only.
Selecting Restore Latest Changes from the Remediation menu will change all modified settings back to the values they had prior to the most recent rollback point and remove that restore point from the remediation history file.
When multiple remediation actions have been taken the system will record each as a separate action with a timestamp. To view each set of remediation actions grouped by time, the menu option Remediation Restore Points will let you roll back all remediation changes back to the selected time or delete all actions related to a time. To view what items were changed and their value prior to making the change, use the Remediation History report from the Remediation menu.
You can select one or more history points to rollback changes to (using drag click, shift+click, or crtl+click). If you select more than one the system will apply the changes in reverse chronological order. Whenever possible, however, it is safest to undo changes in reverse chronological order without skipping any changes.
If the system detects an error while performing a restore it will not remove the items that triggered the error, and therefore that restore point will not be removed from the rollback file. You can use the Remediation History report to inspect which items did not change and choose to delete that restore point to allow the system to revert to prior history points.
SCA includes a report that will show the results of the assessment and post-remediation status. This report is produced by selecting “Security Controls Report (HTML)” from the Results menu. The report is context sensitive and will generate an 800-53 or 800-171 report depending on the controls select for the assessment.
An XML file can be generated that contains the results of the assessment. This may be useful for importing into a spreadsheet or another security management system. To generate this report, select “Security Controls Report (XML)” from the Results menu.
SCA includes a Find tool for use in searching the results for information. This tool is accessed by selecting Find in the Application menu (or holding down the “Ctrl” button and pressing the “f” key). To use the tool, simply enter the text that you wish to find and press the Next button. Each press of the Next button will take you to subsequent locations in the tree where the term was found. The Previous button moves through the tree in reverse order. The Case sensitive matching checkboxes allow the user to restrict the search to text that matches the case entered in the search box
Secutor Prime is built around support for the Security Content Automation Protocol (SCAP). SCAP is a collection of six open standards developed jointly by the government and private sector. Security content written to the SCAP standard can be used by any product that supports the standard. This allows regulatory authorities and configuration managers a means to construct much more definitive guidance than was possible in the past. The guidance is written in the standard format and passed to security products for automated processing and reporting; common input and common output. Secutor Prime includes support for all six protocols. It uses the XCCDF and OVAL assessment protocols to determine what items to check and how to check them. It uses the CPE, CCE, CVSS, and CVE reference protocols to ensure all rules are accurately and appropriately reflected in the system. The SCAP standard references are visible in the interface, reports, and export files.
Secutor Prime includes seamless support for the eXtensible Configuration Checklist Description Format (XCCDF). XCCDF specifies system settings for automated tools to assess. XCCDF specifies what to check. It is the primary protocol required to process the SCAP datastream. ThreatGuard presented the first live demonstration of processing XCCDF, OVAL, and the SCAP datastream using Secutor Prime at the 2nd annual NIST Security Automation Conference, held September 2006. The Secutor XCCDF interpreting engine has been exercised by thousands of users in hundreds of Federal Agencies, hundreds of commercial sites, and over fifty countries. Compliance checklist content, like those developed by NIST for the Federal Desktop Core Configuration (USGCB), are written in the standard XCCDF format. These files are included with Secutor Prime and are used by the product to generate the groups and lists of rules to be checked. Secutor Prime generates and displays a hierarchical tree of these groups and rules when an XCCDF file is selected. The product then uses information from the XCCDF file to perform the assessment as specified in the accompanying Open Vulnerability and Assessment Language (OVAL) file.
Sector Prime includes fully integrated support for the Open Vulnerability and Assessment Language (OVAL) standard. OVAL specifies a standardized approach for assessing each system setting. While XCCDF describes what to check, OVAL specifies how to perform the check. ThreatGuard develops and distributes the world's most mature commercial OVAL interpreter. From 2004 to present day, ThreatGuard has been the first to fulfill OVAL definition consumer compatibility requirements with each major evolution of the language. The ThreatGuard OVAL interpreter was engineered from the beginning to assess local computers and remote targets using agentless 'over the wire' technology. This OVAL interpreter currently supports Microsoft Windows, as well as Solaris, HP-UX, Linux, and Cisco IOS. Support for additional operating systems and applications, such as mainframes and databases, will be added as new OVAL content is developed. Secutor Prime automatically processes the OVAL definition content as referenced in the XCCDF file to perform assessment activities. Secutor Prime also includes an OVAL Notes tab that allows the user to see the decisions made by the interpreter as it processes the OVAL content. For vulnerability content, Secutor Prime includes an option to display the OVALID in the tree as the title for each vulnerability definition.
Secutor Prime includes support for Common Configuration Enumeration (CCE) references. CCE provides a standard notation and reference to configuration settings. The SCAP datastream contains CCE tags in the XCCDF documents. ThreatGuard raises the CCE references from the SCAP content to populate user interfaces, reports, and exports. In addition, Secutor Prime includes a search feature that allows the user to search the system and results for a given CCE number. By including CCE references in the SCAP content and consuming them into Secutor Prime, it is now possible to easily compare very specific configuration settings across systems.
Secutor Prime includes automated support for the Common Platform Enumeration (CPE) standard. CPE provides a standard notation and reference to operating systems and applications. An operating system can be referred to in many different ways such as "Windows XP" vs. "Microsoft Windows XP". CPE introduces a standard notation, such as:
"cpe cpe:/o:microsoft:windows_xp" and "cpe:/a:microsoft:ie:7", enabling products to share SCAP results without pre-coordinating operating system and application references. The SCAP datastream also uses CPE to specify the OS to which a benchmark applies. Secutor Prime processes this CPE content to automatically select benchmarks that are applicable to each target system. The user simply points Secutor Prime at a directory of SCAP content files and the product performs CPE checks to determine which benchmarks apply. The Secutor Prime report and export files also include the applicable operating system or application CPE reference.