Statement Of Scap Implementation; Statement Of Cve Implementation - McAfee PASCDE-AB-IA - Policy Auditor For Servers Product Manual

Appendix A: Implementing the Security Content Automation Protocol

Statement of SCAP implementation

Statement of SCAP implementation
The Security Content Automation Protocol (SCAP) is a collection of six open standards developed
jointly by various United States government organizations and the private sector. Security
content conforming to the SCAP standard can be used by any product that supports the standard
and the results can be shared among these products.
McAfee Policy Auditor allows users to import and export benchmarks and checks that use
SCAP. Users can tailor or edit benchmarks within the McAfee Benchmark Editor interface and
activate them for use in audits. Benchmarks determine whether a system complies with the
benchmark rules. Benchmarks also return results that can be converted to a human-readable
format.
Benchmarks and checks incorporate the following reference protocols to ensure that all rules
are processed accurately and appropriately, and that the results appear properly in reports and
export files:
Common Vulnerabilities and Exposures (CVE)
Common Configuration Enumeration (CCE)
Common Platform Enumeration (CPE)
Common Vulnerability Scoring System (CVSS)
eXtensible Configuration Checklist Description Format (XCCDF)
Open Vulnerability and Assessment Language (OVAL)
McAfee Policy Auditor version 6.0 is compliant with SCAP 1.1 and provides the ability to detect
and assess thousands of systems from a McAfee Policy Auditor server. This standardization
allows regulatory authorities and security administrators to construct definitive security guidance
and to compare results reliably and repeatedly.
McAfee Policy Auditor is designed exclusively around SCAP and manages all aspects of
analyzing systems for compliance. It uses XCCDF and OVAL to determine what items to check
and how to check them. It uses the CPE, CCE, CVSS, and CVE reference protocols to ensure
that all rules are accurately and appropriately evaluated during system audits. The SCAP
standard references are visible in the interface, reports, and export files.

Statement of CVE implementation

McAfee Policy Auditor version 6.0 fully implements and supports the Common Vulnerabilities
and Exposures (CVE) standard vulnerability dictionary. CVE provides unique, standardized
identifiers for security vulnerabilities. CVE address vulnerability and exposure issues, not
compliance items.
McAfee Policy Auditor implements and supports CVE enumeration, which provides standardized
references to known vulnerabilities. CVE uses a named list of information security weaknesses,
providing standardized identifiers to facilitate a universal naming convention. Each CVE identifier
consists of:
A CVE identifier number, such as CVE-2008-0042.
An indication of whether the CVE has a status of "entry" or "candidate."
A description of the vulnerability.
A list of any references, such as advisories or OVAL identification.
88 McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.6