Name of Your Organization:

Information-technology Promotion Agency, Japan (IPA)

Web Site:

http://www.ipa.go.jp/index-e.html

Adopting Capability:

MyJVN Security Configuration Checker

Capability home page:

http://jvndb.jvn.jp/apis/myjvn/sccheck.html (Japanese) http://jvndb.jvn.jp/apis/myjvn/cccheck/cce_password.html (Japanese) http://www.ipa.go.jp/security/english/vuln/200912_myjvn_cc_en.html (English)

General Capability Questions

Adoption Capabilities

If the functionality is available now, indicate "Yes." If it has been implemented but not released, indicate "Beta". If planned but not currently available, indicate "Planned". If there are no plans for a specific category, that section(s) is not included as part of the questionnaire below.

OVAL Definition Evaluator — (Yes)

Product Accessibility <AR_1.9>

Provide a short description of how and where your capability is made available to your customers and the public.

MyJVN Security Configuration Checker is the OVAL and XCCDF based free tool, easy-to-use on-line/off-line scanner, that assess Windows/Linux security configuration, including password, lockout and etc. policies of CCE. Also MyJVN Security Configuration Checker supports MyJVN Version Checker function as extension mode. This product downloads and uses the OVAL and XCCDF content from MyJVN API, which is a software interface to access and utilize secure configuration countermeasure information and OVAL repository stored in JVN and JVN iPedia.

Language Version Indication <AR_1.10>

Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content.

The products support primarily OVAL Versions 5.5 compatibility.

Capability Correctness Questions

Error Reporting <AR_2.1>

Indicate how a user who discovers an error in the capability’s use of OVAL can report the error.

Customers can contact a support helpdesk to report an error in the use of OVAL.

Responding to Error Reports <AR_2.2>

Describe the approach to responding to the above error reports and how applicable fixes will be applied.

All issues are investigated by the technical support team. If a defect is confirmed, it’ll be fixed by the development team. Upon release of the fix, the customer can use the latest version without any update operations.

Documentation Questions

Adoption Documentation <AR_3.1>

Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Adoption for any customers.

The following documents describe our activities related to OVAL:

http://www.ipa.go.jp/security/vuln/OVAL.html (Japanese)
http://www.ipa.go.jp/security/english/vuln/OVAL_en.html (English)

Language Support <AR_3.2>

List each supported component schema and specific OVAL Tests in those component schemas that are supported. (AR_3.2)

MyJVN Security Configuration Checker and extension mode support tests (registry_test, file_test, passwordpolicy_test and lockoutpolicy_test), objects (registry_object, file_object, passwordpolicy_object and lockoutpolicy_object), states (registry_state, file_state, passwordpolicy_state and lockoutpolicy_state) and variables (external_variable) for Microsoft Windows Operating Systems. Others are currently not supported.

OVAL Content Error Reporting <AR_3.3>

List each supported assessment method if applicable.

Query to a database of an endpoint's current configuration settings.
Assessment of state by a host-based sensor.

OVAL Content Error Reporting <AR_3.4>

Provide a copy, or directions to the location, of where the documentation describes the procedure by which errors in OVAL content may be reported for any OVAL content that is produced by the product.

Customers can contact a support helpdesk to report an error in OVAL content.

Content Validity Questions

Syntax Error Detection and Reporting <AR_4.1> <AR_4.2> <AR_4.3> <AR_4.4>

Indicate how the product or repository detects and reports syntax errors in any OVAL content that is consumed by the product or repository.

The OVAL content that is downloaded from MyJVN API, is tested, and XML schema validation is done. Customers can contact a support helpdesk to report a syntax error in OVAL content.

Type-Specific Capability Questions

Definition Evaluator Capability Questions

Content Transparency <AR_8.1> <AR_8.2>

Indicate how the product allows users to determine which OVAL Definitions are being evaluated and examine the details of those definitions.

MyJVN Security Configuration Checker is an XCCDF and OVAL based on-line scanner to assess Windows security configuration. The results are judged as "good" or "bad" condition. The customer can relate the OVAL definition to the results.

Content Import Process Explanation <AR_8.3>

If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability.

The product downloads the list of OVAL content and the definition data of OVAL content from MyJVN API automatically. In MyJVN Security Configuration Checker, the OVAL content must be associated with an XCCDF benchmark file.

Content Evaluation <AR_8.4> <AR_8.5> <AR_8.6> <AR_8.7>

Indicate how users can review the detailed results of evaluating an OVAL Definition on a target system.

The results of MyJVN Security Configuration Checker are judged as "good" or "bad". The product doesn’t support the output function of OVAL Results Document, but the customer can relate the OVAL result to the result of these products as follows: true (good); false (poor, N/A and bad).

Full OVAL Results <AR_8.8>

Indicate how users can review the full OVAL Results of the evaluation of an OVAL Definition on a target system.

The overview field of MyJVN Security Configuration Checker shows the list of the scanning target configuration, the summary of result which is such as "good or bad" and the scanned target value. The detail field shows website of how to change configuration.

Content Updates <AR_6.9>

Describe the process by which users can retrieve content updates.

N/A (The content can be retrieved through MyJVN API interface.)

Adoption Signature

Questions for Signature

Statement of Adoption <AR_1.2>

"As an authorized representative of my organization I agree that we will abide by all of the mandatory adoption requirements as well as all of the additional mandatory adoption requirements that are appropriate for our specific type of capability."

NAME: Hideaki Kobayashi
TITLE: Laboratory Manager, Security Engineering Laboratory, IT Security Center

Statement of Accuracy <AR_1.2>

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability’s use of the OVAL Language and the interpretation of the logic."

NAME: Hideaki Kobayashi
TITLE: Laboratory Manager, Security Engineering Laboratory, IT Security Center

Statement on Follow-On Correctness Testing Support <AR_1.7>

"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."

NAME: Hideaki Kobayashi
TITLE: Laboratory Manager, Security Engineering Laboratory, IT Security Center

Page Last Updated: February 28, 2014