Compliance management is the process of identifying, locating, and rectifying software configuration problems on managed client devices in the enterprise. There are three main steps in this process:
At this point, the administrator can take steps to resolve any configuration issues identified.
The following terms are used throughout the HPCA compliance management solution:
Term | Definition |
---|---|
CCE |
Common Configuration Enumeration The CCE is a dictionary of names for software security configuration issues (for example, access control settings and password policy settings). By providing unique identifiers for system configuration issues, the CCE facilitates fast and accurate correlation of configuration data across multiple information sources and tools. The CCE is currently managed by the MITRE Corporation. For more information, see http://cce.mitre.org |
FDCC |
Federal Desktop Core Configuration The FDCC is a security configuration mandated by the Office of Management and Budget (OMB) for all U.S. government agencies. The FDCC currently exists for Microsoft Windows Vista® and XP operating system software. The Windows Vista FDCC is based on the Microsoft Security Guide for Vista, which was developed through a collaborative effort of the Defense Information Security Agency (DISA), the National Security Agency (NSA), and NIST. The guide reflects the consensus recommended settings from DISA, NSA, and NIST for the Windows Vista platform. The Windows XP FDCC is based on a U.S. Air Force customization of the Specialized Security-Limited Functionality (SSLF) recommendations in NIST SP 800-68 and Department of Defense (DoD) customization of the recommendations in Microsoft's Security Guide for Internet Explorer 7.0. There are also FDCC benchmarks for Windows XP Firewall, Windows Vista Firewall, and Internet Explorer 7. For more information, see http://nvd.nist.gov/fdcc/index.cfm |
USGCB |
The United States Government Configuration Baseline The purpose of the USGCB initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline has evolved from the FDCC mandate. The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security. The USGCB currently exists for Microsoft Windows XP, Windows Vista, and Windows 7 operating system software. These recommendations were developed at the National Institute of Standards and Technology (NIST), which collaborated with DoD and Microsoft to produce the Windows 7, Windows 7 Firewall, Internet Explorer 8 USGCB. There are also USGCB benchmarks for Windows 7 Firewall, and Internet Explorer 8. For more information, see http://usgcb.nist.gov/index.html. |
SCAP |
Security Content Automation Protocol (pronounced ess-kap) SCAP is a framework of interoperable and automatable security standards established by the National Institute of Standards and Technology (NIST). SCAP enables organizations to automate security monitoring, vulnerability management, and security policy compliance evaluation. SCAP incorporates the following specifications:
Because SCAP uses XML-based standards, SCAP content is both human and machine readable. NIST provides SCAP content, such as vulnerability and product enumeration identifiers, through a repository supplied by the National Vulnerability Database (NVD). For more information, see http://nvd.nist.gov/scap.cfm |
CIS |
Center for Internet Security The CIS developed a set of compliance standards before the time that NIST created SCAP. As of the publication of this documentation, the CIS had not released any additional benchmarks for newer operating systems. The HP Live Network team provides CIS benchmarks in SCAP format to Live Network content subscribers. For more information, see http://cisecurity.org. |
A group of related compliance requirements is known as a benchmark (for example, FDCC-Windows-Vista). Benchmarks can be revised. A benchmark is given a new version name whenever it is revised (for example, FDCC-Windows-Vista v1.1.0.0).
Benchmarks contain rules. Each rule includes one or more automated tests that are used to determine whether or not a client device meets the requirements specified by that rule.
A benchmark consists of one or more profiles, which are used to define different levels of compliance within that benchmark. A profile specifies the following:
Compliance with a rule is determined by the profile. When HPCA runs a compliance scan on a managed client device, it evaluates the requirements for the applicable benchmark profile.
The FDCC benchmarks each contain a single profile. The CIS benchmarks contain separate profiles for different types of systems. The Windows XP (v2.01) CIS benchmark, for example, contains profiles for Legacy, Enterprise Standalone, Enterprise Mobile, and Specialized Security systems.
Each rule is assigned a weight based on the potential effect and exposure to the enterprise if client devices do not comply with that rule. When a compliance scan is performed on a managed client device, a score is determined that reflects how many compliance rules passed and failed. This score represents a device's compliance with respect to a particular benchmark profile (SCAP checklist).
Note: In certain compliance reports and dashboards, compliance results for a particular benchmark are aggregated across all profiles that pertain to each managed client device. See Compliance Management Reports and the Compliance Management Dashboard for more information.
The benchmark, profiles, and rules are all delivered as a bundle of files known as an SCAP datastream. These files are read by SCAP-capable tools, such as the HPCA compliance scanner.