McAfee PASCDE-AB-IA Product Guide - Page 90
Statement of CVSS implementation, Statement of XCCDF implementation, Statement of OVAL
View all McAfee PASCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 90 highlights
Appendix A: Implementing the Security Content Automation Protocol Statement of CVSS implementation Statement of CVSS implementation McAfee Policy Auditor version 6.0 incorporates version 2.0 of the Common Vulnerability Scoring System (CVSS). CVSS is a standardized open framework for measuring the impact of vulnerabilities. Each CVE includes an associated CVSS vector to determine the relative severity of vulnerabilities. CVSS is built on a quantitative model that ensures repeatable measurements on systems, valid comparisons between systems, and that allows users to view the underlying vulnerability characteristics. Using CVSS scores help an organization to determine and prioritize responses to detected vulnerabilities. McAfee Policy Auditor supports all four standard SCAP scoring models: • Flat • Unweighted • Absolute • Default The default setting for McAfee Policy Auditor is a flat unweighted scoring model normalized to a maximum possible score of 100. The scoring model can be changed for comparison purposes. Previous versions of McAfee Policy Auditor have been certified by Mitre as CVSS-Compatible. Statement of XCCDF implementation The eXtensible Configuration Checklist Description Format (XCCDF) is an XML specification language that supports the exchange of information, generation of results, tailoring, automated compliance testing, and compliance scoring. It also provides a data model and format for storing results of benchmark compliance testing. XCCDF provides a uniform standard for the expression of benchmarks and other configuration guidance to encourage good security practices. McAfee Policy Auditor uses benchmarks from McAfee or third-party sources to construct audits. Users can select the benchmark profile, if any, to use for the audit. After a system is audited, the audit results are returned to McAfee Policy Auditor, which analyzes and reports on the configuration and vulnerability data. The user can specify how long audit data is retained so that they or auditors can review any changes in the state of a system over time. McAfee Policy Auditor version 6.0 implements version 1.1.4 of XCCDF. Previous versions of McAfee Policy Auditor have been certified by Mitre as XCCDF-Compatible. Statement of OVAL implementation The Open Vulnerability and Assessment Language (OVAL) describes the ideal configuration of systems, compares systems to the ideal configuration, and reports the test results. It provides a structured model for network and system administrators to detect vulnerabilities and configuration issues on systems. McAfee Benchmark Editor uses the Checks interface to import and export OVAL definitions and other formats supported by XCCDF. These checks can be filtered based on OVAL IDs, platforms, or any other criteria set by the user. The Check Details interface displays a hyperlink to specific OVAL IDs, which will display OVAL in XML format. 90 McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.6