Re: Comments SP 800-126

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: Comments SP 800-126

Waltermire, David A.

Dick,

 

Thank you for your comments on the SP 800-126r2 draft.  We are working through your comments and have a couple questions:

 

Section 4.3.1

 

I’m not sure why all entries in the dictionary should be matched  against all the cpe entries in all the referenced dictionaries.  Shouldn’t the consumer smply evaluate the check associated with the cpe-id and act based on the results of this check?

 

The processing logic defined in the SP 800-126r2 comprises a 3 step process.

 

1)      Identifying the CPE Names in the dictionary that correspond to the applicability statements in the XCCDF content using CPE matching for EQUALS and SUPERSET.

2)      If the CPEs present on the host are not known, evaluating the checks associated with the matched CPEs to determine what products are present.

3)      Evaluating the CPE Applicability statements in the XCCDF (e.g. platform or CPE Applicability Language statements) against the CPE Names that are found to be present to determine applicability.

 

The CPE Dictionary contains identifier names and the applicability statements may be using any well-formed name.  This requires a matching round-trip to the dictionary to determine what checks are associated with identifier names for evaluation (step 1). Evaluating step 2 will determine what actual products are on the system.  Theoretically, steps 1 and 2 can be skipped if the CPEs present on the system are already known.  This requires that the product was able to determine this using a methodology that produces results consistent with steps 1 and 2.  In this case only step 3 needs to be evaluated.  We will work to cleanup this wording to reflect this better.  Does this answer your question?  How should we clarify the wording in the document?

 

Section 4.4.1

 

This section also seems to imply that oval results are NOT required when a benchmark is the component evaluated, though Figure 3 describing ARF Reporting indicates displaying a relationship between an OVAL result and a benchmark result.

 

The section contains the following statements:

 

“The ARF report MUST contain a report object for each benchmark and check component executed when a source data stream runs against a target. Specifically, there SHALL be an OVAL result report for each OVAL component that was executed during the run, and there SHALL be an OCIL result report for each OCIL component that was executed during the run. If an XCCDF benchmark was executed during the run, then there SHALL be a XCCDF result report for that as well. Each component result MUST be captured as a separate report object in the ARF report and each component report SHALL use the element specified in Table 16 as its root element.”

 

This requires that OVAL and OCIL results are provided and that an XCCDF results report is included as well if a benchmark is executed.  How can we update the wording to eliminate your implication concerns?

 

Sincerely,

 

Dave Waltermire

SCAP Architect

National Institute of Standards and Technology

(301) 975-3390

[hidden email]

 

From: [hidden email] [mailto:[hidden email]]
Sent: Friday, July 29, 2011 1:51 PM
To: 800-126comments; SCAP-DEV
Subject: Comments SP 800-126

 

Dave,

 

Section 4.2 indicates an error should be issued for data streams which contain unrecognized extended components.  I though the whole point of providing the extended components was to allow essentially “optional” information to be included in the datastream that might not be “standard” and that the correct action for non-recognized extended components would simply be to ignore them.  It seems that feedback would be useful as well, but it should not stop processing.

 

Section 4.2 also says that the specific datastream and benchmark to be executed must be specified, but it does not indicate how it should be specified.  How is this to be accomplished?

 

 

Isn’t the requirement really that the platform element should be honored?

 

Section 4.4.1

 

Should the high level element for results from OVAL be the oval-res:oval_results element?

This section also seems to imply that oval results are NOT required when a benchmark is the component evaluated, though Figure 3 describing ARF Reporting indicates displaying a relationship between an OVAL result and a benchmark result.

 

Section 4.5

 

The organization element seems out of place here.  Is it really used or needed?  Is it not derivable based on the asset identification?

 

 

Thanks,

Dick Whitehurst