• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 609
  • Last Modified:

scap scanners and scap content

Can anyone recommend and free SCAP scanners? And recommendations for wher to download the actual scap content/checklsits? Does all scap "content" work in all scap scanners? I am specifically after scap content for newer releases of oracle RDBMS, SQL Server, and Exchange 2010. So any pointers in that direction most welcome.
  • 3
1 Solution
btanExec ConsultantCommented:
Oscap is an candidate checkout the link as ut support xccdf and oval and likewise uses the dist stig and nist nvd  and see its real life example in link...

SSA is another to check out
btanExec ConsultantCommented:
I am doubtful the scap checklist is ready for the newer rdbms though...
pma111Author Commented:
Albeit those are the tools to do the scanning, where do you get the actual scap checklists from, i.e. those to import into the scanner to do the scans? Who produces the checklists in SCAP format?
btanExec ConsultantCommented:
Actually the checklist can be created by anyone but normally we take it from the govt standard body which readily make it available or even some vendor (commercial) came up with is as part of their scap scanning

e.g. usgcb-rhel5desktop-ds.xml is from United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies

More widely used is the National Checklist Program (NCP), defined by the NIST SP 800-70 Rev. 2, is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications.

e.g. http://web.nvd.nist.gov/view/ncp/repository

This FAQ shares further
e.g. http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_microsoft

Is NIST working exclusively with Microsoft on Security Content Automation Protocol (SCAP)?
No. NIST is currently working with a number of IT vendors on standardizing security settings and their expression in SCAP for a wide variety of IT products and environments. NIST does this through the NIST Security Configuration Checklists Program for IT Products. The NIST process for creating, vetting, and making security checklists available for public use is documented in NIST SP 800-70 Revision 2- Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developers. For more information about the National Checklist Program, visit http://checklists.nist.gov/. If IT vendors would like to standardize additional security settings with NIST, please contact checklists@nist.gov.

Please note that SCAP content can be provided either in a single file (as an OVAL file or SCAP Data Stream), or as multiple separate XML files.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now