OVAL - Compatibility Questionnaire: Citadel Security Software Inc. (Hercules)

Compatibility Questionnaire: Citadel Security Software Inc. (Hercules) — Archive

Important: The OVAL Compatibility Program was moved to "archive" status in December 2009, and replaced with the "OVAL Adoption Program." Under the OVAL Adoption Program product validation is performed by an external organization, allowing the OVAL Team to focus on educating vendors on best practices regarding the use and implementation OVAL and on how OVAL can continue to evolve as needed by the community.

Refer to the OVAL Adoption Program section for addition information and to review all products and services listed.

General Capability Questions | Accuracy Questions | Documentation Questions | Capability Specific Questions

Organizational Information

Name of Your Organization:

Citadel Security Software Inc.

Web Site:

http://www.citadel.com

Product Information

Product/Service Name:

Hercules

Compatible Categories:

OVAL Results Consumer

Product/Service Home Page:

http://www.citadel.com/

General Capability Questions

Product Accessibility

Provide a short description of how and where your capability is made available to your customers and the public (required):

The Hercules products are available via channel partners and directly from Citadel Security Software.

Citadel customers can find OVAL information in the Hercules Vulnerability Remedy data, in the context and on-line help as well as in the Hercules product documentation.

Accuracy Questions

Schema Currency Indication

Describe how and where your capability indicate the OVAL Schema used to create or update its contents and/or results (required):

Within the Help functionality of the Hercules Administrator Console and the product documentation, it states Hercules provides support for OVAL 4.0 or later schema. The image below shows a section of the Hercules User's Guide indicating the OVAL Schema version supported.

Additionally, the Hercules V-Flash service is an automated delivery mechanism connecting Hercules customers to the Citadel V-Flash server. The V-Flash Server houses the library of vulnerability remedies. Hercules customer sites are updated with new remediations electronically through this service. Notifications are included in the V-Flash notification messages indicating the date the OVAL content was last updated. The snippet below is a sample of what is depicted at the end of each V-Flash notification message.

-----------------------------------------------------------------------
Note:
      This V-Flash uses CVE information from CVE Version 20040901.
      The CVE Candidate information was last updated 9/28/2005.
      For additional information on the CVE process, see http://cve.mitre.org/.
      This V-Flash uses OVAL content which was last updated 9/28/2005.
      For additional information on OVAL, see http://oval.mitre.org/.

-----------------------------------------------------------------------

Schema Currency Update Approach

Indicate how often you plan on updating content to reflect new OVAL Schema versions and describe your approach to keeping reasonably current with schema versions (recommended):

There are two separate questions being asked here, how often do you update the OVAL content for the Mitre currently supported schemas and how do you plan on keeping current with new OVAL Schemas published on the Mitre site.

Keeping OVAL content current is a daily on-going process. The Citadel Remediation Security Group has dedicated staff members focused on assuring the accuracy and integrity of the data used within the Hercules product line. We have implemented an automated process that pulls down the OVAL content files each day for all platforms available from the Mitre site. The new information is merged into our database each time the process runs. Since we are Certified CVE Compatible, we auto-associate new OVAL checks to the appropriate remediation using the CVE ID as the key. New and updated OVAL content not auto-associated are manually reviewed to assure coverage and accuracy from a Hercules product perspective.

When new OVAL Schemas are released, Citadel will be matching the OVAL release schedule for minor releases so new schemas are supported immediately. For major releases we will have newly supported OVAL importers available within 45 days. This is due to testing and integrating with existing product release schedules. We are and plan to continue to be an active part of the OVAL Schema development so we can minimize the time and plan releases to better fit OVAL major release schedules.

Platform and Definition Type Support

Indicate which platforms and definition types for those platforms that your capability supports for each category of OVAL compatibility your capability supports (required):

Currently, Hercules has been tested with the Core, Red Hat Linux, Sun Solaris and Microsoft Windows Definition Schemas. Supporting additional platforms is a data issue at this point. The current importer should be able to support the other specified platform schemas. We will be able to support additional Definition Schemas as they are published and data to test with becomes available.

Approach for Correction of Errors

Indicate how someone who discovers an error in your capabilities use of OVAL can report the error and describe your approach to responding to such reports and applying fixes (required):

If you are a product vendor and you are trying to initially integrate with Hercules from an OVAL perspective, contact the Technical Contact listed above for assistance.

If you are a customer and you feel errors have been discovered in either our importer or our data, contact customer support by telephone at 1.888.924.8233 or via email support@citadel.com. If the problem is an OVAL content issue, the correction will be made within the next business day and made available to customers via the Citadel V-Flash service. If the problem is with the importer software itself we will work with the submitter to understand why they think they have discovered a problem with the software. If an error is encountered we will work to provide an expedient resolution to the issue.

Documentation Questions

Compatibility Documentation

Provide a copy, or directions to its location, of where your documentation describes OVAL, OVAL compatibility and/or OVAL-ID compatibility for your customers (required):

Documentation of Finding Elements Using OVAL

Provide a copy, or directions to its location, of where your Documentation describes the specific details of how your customers can find individual security elements in the capability's repository by using OVAL definitions and/or how the user can find them elsewhere through the use of OVAL-IDs (required):

Customers can also use the Third Party ID Search capabilities of the product to locate a remediation associated with a specific or set of OVAL IDs.

If a specific OVAL ID is entered, the remediation associated with the OVAL ID is selected. The user can then browse the remedy or use it in some other way.

Users can also use other search capabilities to locate sets of remedies corresponding to the search criteria entered. In the example below, simple wildcarding was used.

Documentation of Finding Results Information from Elements

Provide a copy, or directions to its location, of where your documentation describes how the user can obtain information in the OVAL Results Schema from individual elements in the capability's repository (required):

The Hercules User Guide and Hercules Vulnerability Assessment and Remediation Overview both reference the OVAL capabilities of the product. These documents are provided as a part of the response to this questionnaire. They are included with the Hercules product for customer usage. Customers can use the Third Party ID Search capabilities of the product to locate a remediation associated with a specific or set of OVAL IDs. In a future version, remedies with an associated OVAL ID will have the OVAL ID displayed as we do CVE IDs today.

Capability Specific Questions

OVAL-ID Output and Searchable

Finding Elements Using OVAL-ID

Give detailed examples and explanations of how a user can locate security elements in the capability by looking for their associated OVAL-ID(s) (required):

This is described above.

Questions for Signature

Statement of Compatibility

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory Compatibility Requirements as well as all of the additional mandatory Compatibility Requirements that are appropriate for our specific type of capability."

Name:		Carl Banzhof
Title:		Chief Technology Officer

Statement of Accuracy

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability's use of OVAL schema and logic."

Name:		Carl Banzhof
Title:		Chief Technology Officer

Statement on Follow-on Testing Activity Support

Have an authorized individual sign and date the following statement about your organizations willingness to support correctness testing of other capabilities, which will be managed by the Reviewing Authority and kept to reasonable levels of effort for all involved. (required):

"As an authorized representative of my organization, we agree to support the Reviewing Authority in follow-on testing activities, where appropriate types of files will be exchanged with other organizations attempting to prove the correctness of their capabilities."