2.2 Installing or Upgrading the SCAP Module Components

The following table provides an overview of tasks to install or upgrade the SCAP module components and configure support for the module.

 

Steps

For More Information

Install or upgrade the SCAP module on the Secure Configuration Manager Core Services computer, as specified in the release notes.

Section 2.1, Planning to Install or Upgrade the SCAP Module Components.

Install or update the UNIX and Windows agent components on the endpoints that you want to assess.

Install the XCCDF Conversion Utility on each console computer.

Section 2.2.4, Installing the XCCDF Conversion Utility.

Install the FDCC Reporting Utility on each console computer.

Section 2.2.5, Installing the FDCC Reporting Utility.

2.2.1 Installing or Upgrading the SCAP Module on Secure Configuration Manager Computers

Install or upgrade the SCAP module on the Secure Configuration Manager Core Services computer.

NOTE:

  • When you install the module on the Core Services computer, the installation program automatically connects to and updates the Secure Configuration Manager database.

  • If you have installed the Secure Configuration Manager database and Core Services on different computers, your logon account must be a local administrator account on the Core Services computer and a member of either the local Administrator group or the SQL Server user role on the database computer.

To install or upgrade this module on Secure Configuration Manager computers:

  1. Log on to the Core Services computer with a local administrator account.

  2. (Conditional) To install the SCAP Module, run the NetIQSCAPModuleForSecureConfigurationManager setup program locally from the root folder of the NetIQ Secure Configuration Manager Module for SCAP installation kit.

    Follow the instructions in the wizard until you have finished installing the module.

  3. (Conditional) To upgrade the SCAP Module, run the following command:

    msiexec /i NetIQSCAPModuleForSecureConfigurationManager.msi REINSTALL=ALL REINSTALLMODE=vomus

  4. Restart NetIQ Core Services to import SCAP templates successfully to Secure Configuration Manager console.

2.2.2 Deploying or Updating the SCAP Module to a Remote Agent Computer

Remotely deploy the SCAP module component to an agent computer by completing the following steps. If you want to install the SCAP module manually, see Section 2.2.3, Locally Installing or Upgrading the SCAP Module on an Agent Computer. You can install the agent component of the SCAP module only on computers that have a UNIX agent or a Windows agent installed.

Deploying to a Remote UNIX Agent Computer

The UNIX Agent Manager console enables you to deploy the SCAP module to UNIX agent computers.

To remotely deploy the SCAP module to a UNIX agent computer:

  1. In the UNIX Agent Manager console, click Agent Manager.

  2. Click Hosts > Scan All Hosts to verify all agents are active and registered.

  3. Click Hosts > Patch Mgr.

  4. In Patch Manager, install p74p10.zip to your agent computer.

  5. Verify successful installation in the results window.

  6. Re-register the agent in Secure Configuration Manager. For more information, see the NetIQ Secure Configuration Manager User Guide.

Deploying to a Remote Windows Agent Computer

You can use the Secure Configuration Manager console to deploy the SCAP module to a registered Windows agent. Before you deploy the Windows agent component for the SCAP module, you must update the Windows agent component on the Core Services computer and copy the .nap file to a special folder. For more information about deployment, see the NetIQ Secure Configuration Manager Windows Agent Installation and Configuration Guide.

To deploy the SCAP module to a Windows agent:

  1. Log on to the Core Services computer with a local administrator account.

  2. In the SCAP module installation kit, open the folder containing the Windows agent component.

  3. Copy the SCAP module .nap file to the SyncStore folder on the Core Services computer, by default %Program Files (x86)%\NetIQ\Secure Configuration Manager\Core Services\SyncStore. For example, copy the SCAP_3.0_for_Windows_Agents.nap file.

  4. Log on to the console with an account that has rights to deploy Windows agents.

  5. Expand IT Assets > Agents > OS > Windows.

  6. Right-click the agents that you want to update, and then click Deploy or Update.

  7. Complete the steps in the Deployment wizard. When specifying the deployment package, select the SCAP module package. For example, select NetIQ SCAP Module 3.0 for Windows Agent.

    NOTE:If the Packages window of the Deployment wizard does not list the SCAP module package, you can browse to the SyncStore folder to add the .nap file.

2.2.3 Locally Installing or Upgrading the SCAP Module on an Agent Computer

Directly install or upgrade the SCAP module on the local agent computer by completing the following steps. If you want to install the SCAP module remotely from Secure Configuration Manager, see Section 2.2.2, Deploying or Updating the SCAP Module to a Remote Agent Computer. You can install or upgrade the SCAP module only on computers that have either the NetIQ Security Agent for Windows or the NetIQ UNIX Agent installed.

Locally Installing on a UNIX Agent Computer

The UNIX Agent Manager console enables you to deploy the SCAP module to UNIX agent computers.

To locally install the SCAP module on a UNIX agent computer:

  1. Copy the .tar files for your operating system and the wcPatch file to the PSHOME/netiq/bin directory on the computer where you want to install the module. You can find the value for PSHOME in the /etc/vsaunix.cfg file on the local computer.

  2. Run the su command to switch to the root user account.

  3. Change to the PSHOME/netiq/bin directory.

  4. Run the command ./wcPatch APPLY <file name> <version> <temporary directory> where:

    • <file name> is the file name of the patch for the specific operating system, provided in the UNIX agent folder of the NetIQ Secure Configuration Manager Module for SCAP installation kit. For example, p74p10.tar provided in the HP-UX_ia64 folder.

    • <version> is the patch number of the patch provided in the UNIX agent folder of the installation kit. For example, 7.4.0.10.

    • <temporary directory> is the directory on a remote computer where you want to store temporary files during installation.

    NOTE:If you want to use a directory on the computer where you are installing, you will need twice as much free disk space as normally required.

  5. Perform Step 4 for patches provided in the UNIX agent folder of the installation kit.

  6. Re-register the agent in Secure Configuration Manager. For more information, see the NetIQ Secure Configuration Manager User Guide.

Locally Installing or Upgrading on a Windows Agent Computer

You can install or upgrade the SCAP module on a local Security Agent for Windows computer.

To locally install or upgrade the SCAP module on a Windows agent computer:

  1. Log on to the local agent computer with a local administrator account.

  2. (Conditional) To install the SCAP module, run the NetIQSCAPModuleForWindowsAgent.msi program from the Windows agent folder of the NetIQ Secure Configuration Manager Module for SCAP installation kit.

    Follow the instructions in the wizard until you have finished installing the module.

  3. (Conditional) To upgrade the SCAP module, run the following command:

    msiexec /i NetIQSCAPModuleForWindowsAgent.msi REINSTALL=ALL REINSTALLMODE=vamus

2.2.4 Installing the XCCDF Conversion Utility

To import properly formatted XCCDF content into Secure Configuration Manager, you must use the XCCDF Conversion Utility to convert the XCCDF content into SCAP policy templates that use the .tpl format. For more information about SCAP policy templates, see Section 3.1, Assessing NetIQ-Monitored Computers.

To install the XCCDF Conversion Utility:

  1. Log on to the Secure Configuration Manager console computer with a local administrator account.

  2. Run the Setup_XCCDF_Conversion_Utility_1.1.1.exe file from the Utilities folder of the NetIQ Secure Configuration Manager Module for SCAP installation kit.

  3. Follow the instructions in the wizard until you have finished installing the XCCDF Conversion Utility.

2.2.5 Installing the FDCC Reporting Utility

To create an FDCC compliance report, you must use the FDCC Reporting Utility to convert the exported policy template report from XCCDF format to a .csv file. For more information about FDCC compliance reports, see Section 3.3, Creating a Compliance Report.

To install the FDCC Reporting Utility:

  1. Log on to the Secure Configuration Manager console computer with a local administrator account.

  2. Run the Setup_FDCC_Reporting_Utility.exe file from the Utilities folder of the NetIQ Secure Configuration Manager Module for SCAP installation kit.

  3. Follow the instructions in the wizard until you have finished installing the FDCC Reporting Utility.