Name of Your Organization:

SAINT Corporation

Web Site:

http://www.saintcorporation.com

Adopting Capability:

SAINT Vulnerability Scanner

Capability home page:

http://www.saintcorporation.com/products/productsOverview.html

General Capability Questions

Adoption Capabilities

If the functionality is available now, indicate "Yes." If it has been implemented but not released, indicate "Beta". If planned but not currently available, indicate "Planned". If there are no plans for a specific category, that section(s) is not included as part of the questionnaire below.

OVAL Systems Characteristics Producer — Yes
OVAL Definition Evaluator — Yes

Product Accessibility <AR_1.9>

Provide a short description of how and where your capability is made available to your customers and the public.

SAINT software is available to our customers through a variety of options. SAINT’s vulnerability scanner (WebSAINT) and bundled Vulnerability Scanner and Exploit (WebSAINT Pro) are available as cloud-based offerings via the ‘mySAINT’ portal at https://www.saintcorporation.com/cgi-bin/secure/customer/logon.pl. SAINT’s vulnerability scanning and exploit tools, and it’s enterprise management console (SAINTmanager) are also available via software download through ‘mySAINT’. SAINT Corporation also provides a bundled software/hardware solution via SAINTbox and SAINTstick.

Language Version Indication <AR_1.10>

Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content.

The highest version of OVAL that SAINT supports at any given time can be found in the ‘mySAINT’ portal at https://www.saintcorporation.com/cgi-bin/secure/customer/logon.pl under the ‘SCAP Content’ section. This information is also available via the GUI when importing SCAP content into SAINT.

Capability Correctness Questions

Error Reporting <AR_2.1>

Indicate how a user who discovers an error in the capability’s use of OVAL can report the error.

SAINT provides phone support and a web-based technical support capability for reporting bugs/errors. Internal processes ensure OVAL-related issues are directed to engineers with expertise in SAINT’s OVAL capabilities.

Responding to Error Reports <AR_2.2>

Describe the approach to responding to the above error reports and how applicable fixes will be applied.

SAINT’s technical support process ensures direct communication to customers that identify errors related to OVAL. Issues are assessed and routed to the appropriate team for investigation and resolution. Issues that require development are prioritized and resolved by the development team; tested and validated through our in-house QA process; and delivered through our automated product update functionality.

Documentation Questions

Adoption Documentation <AR_3.1>

Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Adoption for any customers.

SAINT’s public website provides an overview that describes OVAL and our support to the OVAL Adoption program. The URL to this page is at http://www.saintcorporation.com/solutions/SCAP.html. Additionally, the user documentation and knowledge-base articles on our customer portal provide additional details related to specific OVAL content, check types, and specific product features and functionality related to OVAL. A direct hyperlink to the user guide (keyword: OVAL) is provided at the following http://www.saintcorporation.com/resources/documentation/help/saint_help/saint_help.html

Language Support <AR_3.2>

List each supported component schema and specific OVAL Tests in those component schemas that are supported. (AR_3.2)

The following are supported:

  • aix-definitions-schema.xsd
    • fileset_test
    • fix_test
    • interim_fix_test
    • no_test
    • oslevel_test
  • independent-definitions-schema.xsd
    • family_test
    • variable_test
    • textfilecontent54_test (windows only)
  • windows-definitions-schema.xsd
    • auditeventpolicy_test
    • file_test
    • registry_test
    • passwordpolicy_test
    • lockoutpolicy_test
    • service_test
    • sid_test
    • process58_test
    • auditeventpolicysubcategories_test
    • user_test
    • fileeffectiverights53_test
    • metabase_test
    • accesstoken_test
    • wmi_test
    • wmi57_test
    • process_test
    • sid_sid_test
    • user_sid_test
    • user_sid55_test

Core constructs defined in the OVAL Language that are not supported. (AR_3.2)

  • TimeDifferenceFunctionType
  • EntityAttributeGroup:mask

OVAL Content Error Reporting <AR_3.3>

Provide a copy, or directions to the location, of where the documentation describes the procedure by which errors in OVAL content may be reported for any OVAL content that is produced by the product.

SAINT does not maintain a separate process specific to reporting errors related to OVAL content. However, users are provided with documentation (http://www.saintcorporation.com/resources/SAINT_Support_HOWTO.pdf) related to logging into the on-line ticketing system and how to sumbit a request or error/bug report. Internally, SAINT Support will route inquiries related to OVAL to the lead engineer documented in the General Capabilities section, subsections 2 and 4, of this document for review and appropriate action.

Content Validity Questions

Syntax Error Detection and Reporting <AR_4.1> <AR_4.2> <AR_4.3> <AR_4.4>

Indicate how the product or repository detects and reports syntax errors in any OVAL content that is consumed by the product or repository.

OVAL content must be imported into SAINT before it can be used. During the import process, users are notified of any XML schema/syntax errors. All reported errors must be corrected before SAINT will accept the content.

Definition Evaluator Capability Questions

Content Transparency <AR_8.1> <AR_8.2>

Indicate how the product allows users to determine which OVAL Definitions are being evaluated and examine the details of those definitions.

Users are able to view the XML of an imported definitions document via the SAINT GUI. Users can also use the detailed definition viewer, also accessible through the GUI, which gives users a list of definitions found in a given OVAL definition file. The detailed viewer lets users search for definitions via a key word search, and provides details about what is being checked for on the target system for a selected definition.

Content Import Process Explanation <AR_8.3>

If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability.

SAINT provides support for an OVAL scanning policy that includes a list of currently supported platforms and OVAL checks available for use. This capability also includes an Import/Update feature to retrieve the latest updates from Mitre, for a selected definition file, to be used in the scan. This functionality also supports importing of other custom OVAL content to be parsed and used immediately upon validation by the interpreter.

Content Evaluation <AR_8.4> <AR_8.5> <AR_8.6> <AR_8.7>

Indicate how users can review the detailed results of evaluating an OVAL Definition on a target system.

SAINT provides the capability to review, and download the detailed results of evaluating OVAL definitions on a target system, through the product’s SCAP Results feature, as part of the integrated Data Analysis component of the GUI. SAINT provides support for the required OVAL Results and OVAL System Characteristic schemas, as well as our own detail reports that allow users to determine exactly why a vulnerability was identified.

Full OVAL Results <AR_8.8>

Indicate how users can review the full OVAL Results of the evaluation of an OVAL Definition on a target system.

SAINT provides support for the full OVAL Results format as specified in the OVAL Results Schemas, within the SCAP Results feature in Data Analysis. Results can be displayed or downloaded in the required formats.

Systems Characteristics Producer Capability Questions

Collecting System Data <AR_5.2> <AR_5.3>

Explain the criteria used to collect system data that is included in an OVAL System Characteristics document.

All objects defined within a given OVAL document are collected when a scan initiates, if applicable/supported to/on the target system, and stored in the OVAL System Characteristics format.

Content Export <AR_5.2> <AR_5.3>

Indicate how the product allows users to export OVAL System Characteristics documents.

SAINT provides the capability to export OVAL System Characteristics documents through the Data Analysis — SCAP Results feature of the GUI. System Characteristics can be viewed or downloaded in the SCAP-required format.

Adoption Signature

Questions for Signature

Statement of Adoption <AR_1.2>

"As an authorized representative of my organization I agree that we will abide by all of the mandatory adoption requirements as well as all of the additional mandatory adoption requirements that are appropriate for our specific type of capability."

NAME: Randall Laudermilk
TITLE: Product Development Manager

Statement of Accuracy <AR_1.2>

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability’s use of the OVAL Language and the interpretation of the logic."

NAME: Randall Laudermilk
TITLE: Product Development Manager

Statement on Follow-On Correctness Testing Support <AR_1.7>

"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."

NAME: Randall Laudermilk
TITLE: Product Development Manager

Page Last Updated: February 23, 2012