Statement of SCAP Compliance

Qualys SCAP Auditor 1.2

Backward Compatibility

Tell me about availability

SCAP Tier III Content

SCAP Compliance

Scanner Appliance Installation and Setup

SCAP Conformance

Internet Access to our Service

SCAP 1.2 Certification

Access to Hosts


Qualys SCAP Auditor 1.2

Qualys SCAP Auditor 1.2 is a subscription based, Software as a Service solution delivered via Qualys Policy Compliance 8.x and the Qualys Cloud Platform. The SCAP features are versioned independently from other services available via the Qualys portal. Changes to the Qualys SCAP Auditor version number will indicate changes related to SCAP scanning. Qualys SCAP Auditor 1.2 supports USGCB scanning for internal systems on a global scale.

Learn more
https://www.qualys.com/solutions/
https://www.qualys.com/docs/qualys-scap-getting-started-guide.pdf

Tell me about availability

The SCAP application must be enabled for your account. Not sure if it's enabled? Go to Help > Account Info and see if there's a SCAP Summary section. If yes, then SCAP is turned on. You'll also need compliance management permissions. All Managers and Auditors have this permission. For sub-users, a Manager can grant you the "Manage PC module" permission by editing your user account.

SCAP Compliance

Compliant with SCAP Version 1.2: XCCDF 1.2, OVAL 5.10, CCE 5, CPE 2.3, CVE, and CVSS 2, OCIL 2.0, CCSS 1.0, Asset Identification 1.1, ARF 1.1, TMSAD 1.0

Compliant with SCAP Version 1.0/1.1: XCCDF 1.1.4, OVAL 5.3, CCE 5, CPE 2.2, CVE, and CVSS 2.

SCAP 1.2 Conformance

Our SCAP application conforms with requirements in the SCAP 1.2 specification for the use case compliance checking (with the @use-case attribute in the <ds:data-stream> element set to CONFIGURATION). We are a consumer of SCAP content, meaning we accept existing SCAP source data stream content, process it, and produce valid SCAP result data streams.

SCAP 1.2 Certification

Authenticated Configuration Scanner with the CVE option for assessment of Windows 7 (32 and 64 bit) and Red Hat Enterprise Linux (RHEL) 5 Desktop (32 and 64 bit) providing the ability to audit and assess a target system to determine its compliance with USGCB requirements.

Backward Compatibility

SCAP Auditor 1.2 provides backward compatibility with SCAP 1.0 for assessment of Windows XP and Windows Vista supporting USGCB and FDCC assessment. We are certified for these capabilities for SCAP 1.0: FDCC Scanner, Authenticated Configuration Scanner, Authenticated Vulnerability and Patch Scanner, and Unauthenticated Vulnerability Scanner.

SCAP Tier III Content

In addition to the SCAP certified assessment capabilities, SCAP Auditor can process SCAP tier III content intended for the following systems: Windows 7 (32 and 64 bit), Windows XP (32 bit), Windows Vista, Windows 2008, Windows 2012, RHEL 5 (32 and 64 bit) and most Linux distributions.

Scanner Appliance Installation and Setup

SCAP scanning is available when the SCAP application is enabled for the subscription and the user has compliance management privileges.

SCAP scanning is conducted by a scanner appliance that is installed in the subscription and enabled for SCAP scanning. A physical scanner appliance or virtual scanner appliance may be configured for SCAP scanning. It takes just a couple minutes to set up a scanner appliance - see our user guides. Your can download the user guides from Help > Resources. Once the appliance is deployed in your account, you need to enable SCAP on the appliance. Learn more

Internet Access to Our Security Service

Your scanner appliance must be able to contact the URLs for our security service which includes the SCAP application. These URLs are listed within your account on the About page. Go to Help > About on the top menu bar and you'll see the Scanner Appliances section with our service URLs. Depending on your network, it may be necessary to change your network protection systems to allow access.

Access to Hosts

Remote access to target hosts is required via authenticated scanning. Follow these steps before scanning:

1) Add target hosts to your account as compliance hosts. Learn more

2) Create asset groups including the compliance hosts to be scanned. Learn more

3) Add one or more SCAP policies to your account and assign asset groups to them. Learn more

4) Add Windows authentication records for the target hosts. Learn more