Auditors and security personnel rely heavily on automated tools to gather and centralize compliance information for aggregation and analysis. Since automated tools have no means of connecting to offline computers, you cannot determine whether the offline computers comply with security standards, best practices, and regulatory requirements.
If you have physical access to offline computers, the SCAP module allows you to run SCAP policy templates on those computers using portable read/write media, such as a USB flash drive. You can import these assessment results into Secure Configuration Manager to view, print, or export the results. You can get the latest version of XCCDF content from the National Institute of Standards and Technology (NIST) (http://scap.nist.gov).
NOTE:
If you run an offline assessment on a computer that is not running the operating system specified in the benchmark, Secure Configuration Manager does not create an .xml file.
To ensure Secure Configuration Manager can connect to desktop computers, set the Is DHCP Client field of the Endpoint Properties window to True for all desktop computers.
To assess offline computers, you must insert a read/write medium, such as a USB flash drive, containing appropriately formatted policy templates in the computer. These files must correspond with policy templates imported to the SCAP Templates node in the Secure Configuration Manager console. The files must be in .xml format.
To configure a read/write medium for offline assessments:
Copy the contents of the Offline Assessment folder from the NetIQ Secure Configuration Manager Module for SCAP installation kit to the root directory of the read/write media.
Ensure the oem-content folder includes the XCCDF content files for which you want to run assessments.
Specify the profile that you want to run by opening the scat-config.xml file and updating the following line:
<profile>profile_name</profile>
where profile_name is the name of the profile you want to use while running the assessments.
If you want to include OVAL notes in the report, open the scat-config.xml file and edit the OVAL notes tag as follows:
<suppress_oval_notes>false</suppress_oval_notes>
<force_32bit_mode>false</force_32bit_mode>
<xml_oval_notes>true</xml_oval_notes>
For more information about OVAL notes, see Section 3.1.2, Running SCAP Policy Templates.
If you want to run a specific benchmark, specify the benchmark that you want to run by opening the scat-config.xml file and updating the <xccdf_file> tag with the benchmark name. For example, if you want to run the fdcc-winxp-xccdf.xml benchmark, update the tag as follows:
<xccdf_file>fdcc-winxp-xccdf.xml</xccdf_file>
You can find the benchmarks (those you have copied in Step 2) listed in the oem-content folder.
If you want to automatically determine all applicable benchmarks in the oem-content folder and perform an assessment of each one, open scat-config.xml and remove the following line:
<xccdf_file>benchmarkfilename.xml</xccdf_file>
where benchmarkfilename.xml is the name of a specific benchmark.
If you want to create a log file, open Slylog.conf and delete the pound sign (#) from #LogFile=scat.log.
If you want to change the logging level, open Slylog.conf and change the LogLevel parameter to one of the following values:
|
Logging Level |
Description |
|---|---|
|
FATAL |
Show errors that cause S-CAT to abort an assessment. |
|
ERROR |
Show run time errors, including content errors. |
|
WARNING |
Show warning messages. |
|
INFO |
Show informational messages. |
|
DEBUG |
Show detailed debug output. |
These settings are cumulative. For example, a logging level setting of DEBUG displays fatal, error, warning, info, and debug messages.
Once you prepare the read/write medium, you can run assessments on offline computers. The content files on the read/write medium should correspond with the aspects of offline computer that you want to assess, such as the Windows operating system or an Oracle database.
To run an SCAP assessment on an offline computer:
Insert the read/write medium into the computer on which you want to run an assessment.
If the computer is configured to not take automatic action when read/write media is inserted, complete the following steps:
Access the read/write medium.
For Windows computers, open s‑cat.exe.
For UNIX and Linux computers, open s-cat.sh.
Once the assessment is complete, repeat Step 1 through Step 2 for each offline computer you want to assess.
You can import only completed offline assessments for SCAP content that corresponds with SCAP policy templates you imported into Secure Configuration Manager. For more information about importing SCAP policy templates, see Section 3.1, Assessing NetIQ-Monitored Computers.
To import results of an offline assessment:
Log on to a Secure Configuration Manager Core Services computer with a Secure Configuration Manager administrator account.
Insert the read/write medium used to gather offline assessments.
Run ReportLoader.exe. By default, this file is located in the C:\Program Files (x86)\NetIQ\Secure Configuration Manager\Core Services\bin folder.
Specify the user name and password of your Secure Configuration Manager administrator account and click Logon.
In the Import Folder field, browse to the location of the completed SCAP assessments that you want to import. Completed SCAP assessments have an .xml file type. By default, you can find the completed SCAP assessments in the Products folder.
NOTE:You can import only completed offline assessments that correspond with SCAP policy templates previously imported into Secure Configuration Manager.
Click Run.
Click Close.
NOTE:The Report Loader continues to import the completed SCAP assessments even if you click Close.
Log on to a Secure Configuration Manager console computer with your console user account.
Expand Job Queues > Completed.
In the content pane, double-click the policy template report that you want to view.
When you are finished viewing or printing the report, close the Report Viewer.