Recently, Tenable's Security Center product was awarded certification to perform Federal Desktop Core Configuration (FDCC) audits, along with several other types of NIST SCAP audit capabilities, for the Windows XP and Vista platforms. FDCC makes use of the NIST SCAP XCCDF standard to describe security profiles, configuration settings and specific techniques to test for configuration settings. This blog entry describes how this process works and some of the benefits of the NIST SCAP program.
Performing FDCC Audits with the Security Center
Security Center users can download XCCDF content, such as the FDCC policies, and load them into a tool named the "xTool". This tool processes the OVAL, CPE and XCCDF content and logic to produce an audit file that can be used by the Security Center to control one or more Nessus scanners. Tenable's FDCC auditing technology requires credentials for the target systems and does not use an agent.
One of the features of the xTool is to dynamically create audit policies with as little or verbose content available from the XCCDF content. For example, in the screen shots below, the xTool has been configured to display the Nessus audit logic used to test the minimum password age policy.
In the image on the left, none of the meta data was included. In the image on the right, all information related to the Common Configuration Enumeration (CCE) ID, the specific XCCDF audit policy and a handful of related DOD, NIST, ISO and other standards is included. The xTool gives security and compliance managers the ability to customize how much information in the audit is included for analysis by the end user.
The audit policies generated by the xTool are loaded into the Security Center and can then be used to perform configuration audits. These can occur alongside vulnerability scans, patch audits or sensitive data auditing. In the below screen shots, a summary of CCE issues and an example view of detailed results for one CCE is shown:
Once scans are completed, the Security Center can be used to sort the results and identify which types of compliant and non-compliant FDCC issues have been found. These can be sorted by IP addresses, asset group, by type of CCE entry and many other filtering and reporting options.
When submitting results to NIST for FDCC compliance, the results of all systems are not required -- just the results of systems that are representative. For example, based on operational requirements, an organization may need a waiver for the length of their minimum passwords.
With more than 700 configuration checks performed by FDCC, the Security Center can be used to sort and identify unique combinations of non-compliant configurations for hundreds, thousands or even tens of thousands of unique hosts. This makes the process of finding your unique non-compliant samples much easier.
Lastly, the xTool can also import the results of the configuration audit and produce an FDCC report which includes non-compliant tracking of exceptions.
FDCC and SCAP Benefits
Independent Vendor-Neutral Content
As new XCCDF content is developed and hosted by NIST, Security Center users can download it and produce audit polices for new platforms. Tenable currently has customers who have produced audit polices for the beta XCCDF content available for Windows Server 2003, other Windows platforms, Symantec Anti-Virus and the Microsoft Office 2007 suite. As new XCCDF compliant content is developed, the xTool can consume it and produce audit policies.
Logging and Anomaly Detection
Knowing how a system or set of systems are configured is just as important as knowing their vulnerabilities. For example, consider an incident response process that was invoked due to a network wide brute force password attempt. Knowing the password policy (complexity, minimum length, expiration, .etc) of a system can help you prioritize which systems to respond to first.
Similarly, if a user population of systems is configured for a policy that has locked down likely exploit vectors, enabled access-control logging, enabled logging of access to object such as folders and shares and enabled a firewall, the ability to gather logs and look for anomalies is greatly enhanced. Performing anomaly and compromise detection is much easier when the composition of the network you are monitoring is known.
Quicker Identification of Unmanaged Systems
When complimented with traditional active and passive vulnerability scanning, the Security Center can be used to quickly identify when a system is configured in a non-sanctioned or unauthorized manner.
Perhaps a new system has been installed prior to being locked down. Perhaps some sort of software upgrade resulted in a down-grade of secure system settings. Perhaps a hacker, insider or malware has indeed infected a system and turned off these settings as well. Whatever the reason, in an environment where most hosts are configured the same, finding a host that is different is much easier.
Although the SCAP program has a federal government mandate, the content is also being used in a variety of commercial applications. For example, Tenable has many financial and health care organizations that are private or commercial entities, yet choose to configure their networks according to NSA best practices, the DISA STIGS and now the SCAP content feeds.
The NIST SCAP program also offers some platforms and recommendations for configuration settings not provided by the Center for Internet Security best practice guides, or directly from vendors such as Microsoft.
For More Information
Tenable has an online video demo of how the xTool and Security Center can be used to perform FDCC and SCAP audits. We've also previously posted about how to configure Windows XP and Vista systems for auditing as well as comments from a NIST FDCC implementor's workshop. To learn more about SCAP and the XCCDF specification, please visit http://nvd.nist.gov.