All -- just some feedback on
progress with ARF and ASR. We’ve been building out tools and
capabilities to use the standards in DoD and I’ve reached the point where
we can share some of the use cases for ARF and ASR.
In the attached zip,
you’ll find 4 files. The file “Three Device winxp FDCC
Results from SCC.zip” is the output, in XCCDF Results, from the GOTS tool
“SCAP Compliance Checker” after running WinXP FDCC against 3
VMs. Using the raw XCCDF results, you get three files that, taken
together are over 2.4MB in size.
By just converting to ARF, as
seen in “Three Device winxp FDCC Results after Stylesheet Conversion to
ARF.zip”, and eliminating the excess baggage from XCCDF (such as sending
a copy of the benchmark with every XCCDF Results file), we get a set of files
that are 330KB, taken together.
Then, converting to ASR with detailed
device records, as seen in “Three Device Detailed WinXP FDCC Results with
Groupings in ASR.asr.zip”, you get the compliance results for all three
devices in a single file that is 259k – and scales as a function of one
line per rule/per device by sacrificing some detail, but allowing for groupings
by organization, location, region, and MAC level – which isn’t
supported by XCCDF.
Using ASR with counts only, as
seen in “Three Device Summary WinXP FDCC Results with Groupings.asr.xml
you get a file, 136KB, that provides high-level decision maker reports of
compliance with FDCC, with groupings that scales flat – i.e. the file
will always stay the same size, regardless of how many devices are reported
with only the counts changing.
My thought is to use ARF to
communicate between sensors on a common LAN – on the assumption that
bandwidth is more or less unlimited. For transmission of detailed
compliance over the WAN, we can use ASR with device records. For
reporting of compliance at the DoD Enterprise and Federal levels, we can use
ASR with counts only.
Also note, from the file sizes,
how well compression works on all the files. I’m thinking any
enterprise use of any SCAP standard for reporting should assume compression
using GZIP (supported as part of TCP/IP) or other compression function to be
required and supported.
Lt Col Joseph L. Wolfkiel Director, Computer Network Defense Research & Technology
(CND R&T) Program Management Office 9800 Savage Rd Ste 6767 Ft Meade, MD 20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700