Tell me about the SCAP Individual Host Report

When you're running your report use the Display option to filter the hosts displayed in the report based on posture. You have these options: Passed (Fixed), Failed (includes Error and Unknown) or Ignored (includes Not Applicable, Not Checked, Not Selected and Informational).

The summary section shows the SCAP policy title, benchmark, profile, version and technology, the specified report source options, and the host selected for the report.

Each rule in the report is listed with the posture for the selected host. Our service evaluates the test results for all the nodes (definitions and test sections) according to the rule and determines whether the host satisfied the conditions of the rule.

Passed - The test results for all the nodes satisfied the conditions of the rule.

Failed - In a case where the evidence has a node with the result Error or Unknown, our service will assign the posture Failed since the host did not satisfy the conditions of the rule. If the result is Error, our service reports Failed (Error). If the result is Unknown, our service reports Failed (Unknown).

A rule is ignored if you see one of these postures: Not Applicable, Not Checked, Not Selected or Informational. Not Checked indicates that the rule refers to checks in checking systems other than OVAL (http://oval.mitre.org/XMLSchema/oval-definitions-5). This includes OCIL checks.

In the Results section of your report, we'll show you current CCE IDs for each rule, as defined in the SCAP policy. Click on any CCE ID to get additional information, including mappings to NIST SP 800-53 control identifiers. These appear under References. Please note that CCE IDs will be displayed only if they are specified in the SCAP data stream.

 

What are CCE4 IDs?What are CCE4 IDs?

Evidence is available in the report when the Evidence option is selected in the report source. You can tell whether there is evidence in the report by placing your mouse over a row in the Results section. When evidence is available, the browser pointer changes from an arrow to a hand and the row (rule) is highlighted. Click the row to see the evidence for the rule on the host. By reviewing the evidence you can easily determine why the rule passed or failed for the host. The evidence content for a rule is displayed in a tree structure with nodes that represent the logic of the rule and the scan tests performed on the host. You can expand and collapse sections of the evidence tree by hovering your mouse over a node and then clicking the link to change the view. You will notice when you move your cursor over a node, the browser pointer will change to a hand and the link will be underlined so you can follow the link. Each node in the evidence tree identifies the OVAL test result status so you can determine compliance within the rule sections. A Red node in the evidence tree indicates a failed test. A Definition node identifies an OVAL definition test and results for the rule.

If you ran your report on a policy with custom OVAL definitions, you can go to File > Download to download the OVAL definitions in XML format.

The rule titled "Security Patches Up-To-Date" provides evidence for special patches tested during the most recent SCAP scan of each host in the SCAP policy. These include all patches defined in the "patches" file in the SCAP policy when present. For each host you'll see the patch status. The status Pass indicates the patch was found during the last SCAP scan on the host, and the status Fail (in Red) indicates the patch was not found during the last SCAP scan on the host.