Install and configure the SCAP Extensions
Applies To: System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1
After preparing the prerequisite infrastructure, you are ready to install and configure the SCAP Extensions for Microsoft System Center Configuration Manager on the computer from which you want to run this process.
Install SCAP Extensions Configuration Manager
Run ConfigMgr_Extenstions_for_SCAP.msi to install the tool.
In Windows Explorer, go to the folder where you downloaded the ConfigMgr_Extensions_for_SCAP.msi file, and then double-click the ConfigMgr_Extensions_for_SCAP.msi file.
The SCAP Extensions for Microsoft System Center Configuration Manager Installation Wizard starts.
Complete the SCAP Extensions for Microsoft System Center Configuration Manager Installation Wizard using the information in the following table, accepting the wizard's default values unless you need to specify them.
Wizard page name
User action
Welcome
1. Click Next.
End-User License Agreement
2. Review the license agreement.
3. Click I accept the terms in the license agreement.
4. Click Next.
Destination Folder
5. Specify an installation path and click Next.
Ready to Install
6. Click Install.
Completed the SCAP Extensions for Microsoft System Center Configuration Manager Installation Wizard
7. Click Finish.
The SCAP Extensions for Microsoft System Center Configuration Manager Installation Wizard installs the extensions by default in the following location depending on the Windows operating system that you are running:
- C:\ Program Files\SCAP Extensions\ folder on a computer running Windows 7, or Windows Server 2008/R2.
On x64 machine, the installation folder is under C:\Program Files (x86)\ SCAP Extensions
Download and install the SCAP data stream files
Before you can run the SCAP Extensions to convert SCAP data stream files and then import them into the Compliance Settings feature, you must download the SCAP data stream files from the National Vulnerability Database (NVD) download page Web site. Then copy them into the folder where you installed the SCAP Extensions.
Depending on your environment, you may not need all the SCAP data stream files listed on the download page.
To install the SCAP data streams:
Visit the NVD Web site to identify the SCAP data streams that are required by your organization. The SCAP data streams published by NIST are organized into multiple bundles, which are also called checklists.
Download the SCAP data streams from the NVD Web site, which are stored in compressed files with a .zip file name extension or marked as DataStream XML file.
Important
There are many SCAP data stream files with the .xml extension that you can download from the NVD. However, only .xml files that include XCCDF (SCAP1.0 and 1.1)/DataStream (SCAP1.2) content are appropriate for use with the SCAPTODCM.exe tool.
Extract the SCAP data streams .zip files/DataStream XML file that you downloaded into the same folder where you installed the SCAP Extensions.
Convert and import the SCAP data stream files
After obtaining the SCAP data streams, you are ready to use the SCAPTODCM.exe tool to convert the SCAP data streams into Compliance Settings compliant .cab files and then import the .cab files into Configuration Manager. The SCAPTODCM.exe tool converts the SCAP data streams into configuration items and configuration baselines that you can access using the Compliance Settings feature in Configuration Manager. The SCAPTODCM.exe tool converts the SCAP data streams into XML manifests, and then packages the XML manifests into a .cab file that you can import into Configuration Manager.
The SCAP data streams published by NIST are organized into multiple bundles. Follow NIST's instructions to verify which bundles to use in your environment. For example, there is a separate bundle for each version of Windows, another version-specific bundle for the firewall configuration, and a bundle for Internet Explorer 8.0. Use the following procedures to accomplish this task.
To import the SCAP data streams into Configuration Manager
-
Convert the SCAP data streams into a Compliance Settings compliant .cab file.
-
Import the .cab file into Configuration Manager. Do not choose Create a new copy of the imported configuration baseline and configuration items when you import the cab. This would change the GUID of the baseline, and could cause DCMToSCAP to fail to get the result from the database.
Convert the SCAP data streams into Compliance Settings Compliant .cab files
Before you can analyze and assess the compliance of your systems, you need to convert the SCAP data streams in XML format into XML manifests that are compliant with Compliance Settings configuration items and configuration baselines. The SCAPTODCM tool converts the SCAP data streams into XML manifests, and then packages the XML manifests into a .cab file that you can later import into Configuration Manager.
To convert the SCAP data streams into Compliance Settings compliant .cab files using the SCAPTODCM.exe tool
-
Click Start, click All Programs, click SCAP Extensions, and then click SCAP Extensions.
-
At the command prompt, Run SCAPToDCM.exe to generate a Compliance Settings compliant cab and import it to the Configuration Manager site.
Note
Your account must have read/write permissions for the installation folder of the SCAP extension and output folder. Otherwise you should copy all binaries from the SCAP Extensions installation folder to a folder for which the account has read/write permissions.
For SCAP 1.0/1.1 content (XCCDF XML file, such as USGCB and DISA content):
scaptodcm –xccdf <xccdf.xml> -cpe <cpe.xml> -out <outputFolder> [-select benchmark/profile]
Note
If you don't specify the benchmark/profile by using the –select parameter, then the tool will generate a DCM cab for each benchmark in the content file.
For SCAP1.2 content- (DataStream XML file, such as the latest USGCB content-):
scaptodcm –scap <scapdatastreamfile.xml> -out <outputFolder> [-select datastream/benchmark/profile]
Note
If you don't specify the datastream/benchmark/profile by using the–select parameter, then the tool will generate a DCM cab for each benchmark in the content file.
For single OVAL file with external variables:
scaptodcm –oval <singleOvalFile.xml> [-variable <externalVariableFile.xml>] -out <outputFolder>
Note
If there are multiple values for one variable in the external variable file, then the SCAPToDCM tool will treat the values as an array for this variable.
Parameter |
Usage |
Required |
|---|---|---|
|
-scap [scap data stream file] |
Specify the SCAP data stream file |
Yes (for SCAP 1.2 data stream, mutually exclusive with -xccdf and -oval/-variable) |
|
-xccdf [xccdf file] |
Specify the XCCDF file |
Yes (for SCAP 1.0/1.1 XCCDF, mutually exclusive with -scap and -oval/-variable) |
-cpe [cpe file] |
Specify the CPE file. |
Yes (for SCAP 1.0/1.1 XCCDF, mutually exclusive with -scap and -oval/-variable) |
-oval [oval file] |
Specify the OVAL file. |
Yes (for standalone OVAL file, mutually exclusive with -xccdf and -scap) |
-variable [oval external variable file] |
Specify the OVAL external variable file. |
No (Optional for standalone OVAL file when there is an external OVAL variable file, mutually exclusive with –xccdf and -scap) |
-select [xccdf benchmark/profile] |
Specify the XCCDF benchmark profile from either the SCAP data stream or XCCDF file. |
No (We suggest specifying this switch. If not specified, then the tool will generate a cab for all the profiles in all embedded DataStream/benchmarks) |
-out [output directory] |
Specify where to put the DCM cab file. |
No (if not specified, then the tool will only list the content without conversion) |
-batch |
How many CIs are allowed in a single DCM Baseline. |
No Default value is 500 if not specified, and no negative value is allowed. |
-log [log file] |
Specify the log file. |
No {if not specified, then log is written to SCAPToDCM.log file) |
-help / -? |
Print out tool usage. |
No |
The following is sample command line for the SCAPTODCM.exe tool:
SCAP1.2 Content:
SCAPToDCM –scap scap_gov.nist_USTCB-ie8.xml –out .\mytestfolder –select mySCAPDataStreamID/myBenchMarkID/myProfileID
SCAP1.0/1.1 Content:
SCAPToDCM –xccdf scap_gov.nist_Test-WinXP_xccdf.xml –cpe scap_gov.nist_Test-WinXP_cpe.xml –out .\mytestfolder –select XCCDFBenchmarkID/MyProfileID
SCAP OVAL Content:
SCAPToDCM –oval myOvalFile.xml –variable myOvalExternalVariableFile.xml –out .\mytestfolder
The following is sample output from the SCAPTODCM.exe tool:
Compliance Settings compliant cab file created:
Validate the schema of SCAP data stream file C:\24SCAP\BVT_Test_Data_Stream.xml
Successfully validate the schema of SCAP data stream file C:\24SCAP\BVT_Test_Data_Stream.xml
Process XCCDF Benchmark xccdf_tst.bvt_benchmark_Windows-F
Process XCCDF Profile: xccdf_tst.bvt_profile_version_1.0.0.0-BVT Profile#1
Process OVAL: scap_tst.bvt_comp_Windows-F-oval.xml
Successfully finished process OVAL: scap_tst.bvt_comp_Windows-F-oval.xml
Process OVAL: scap_tst.bvt_comp_Windows-F-cpe-oval.xml
Successfully finished process OVAL: scap_tst.bvt_comp_Windows-F-cpe-oval.xml
Process SCAP data stream: scap_tst.bvt_datastream_Windows-F.zip
SCAP Data Stream: [scap_tst.bvt_datastream_Windows-F.zip]
Version: [1.2]
Timestamp: [2/24/2012]
Use-case: [CONFIGURATION]
CPE Dictionary: [scap_tst.bvt_comp_Windows-F-cpe-dictionary.xml]
OVAL: [Windows-F-cpe-oval.xml]
Product name: [National Institute of Standards and Technology]
Product version: []
Schema version: [5.3]
Timestamp: [2/24/2012]
XCCDF Benchmark: [xccdf_tst.bvt_benchmark_Windows-F]
Version: [v1.0.0.0]
Update: [http://usgcb.nist.gov]
Timestamp: [2/24/2012]
Status: [accepted]
Status date: [2/24/2012]
Title: [Ohh New BVT for SCAP 1.2]
Description: [My description]
XCCDF Profile: [xccdf_tst.bvt_profile_version_1.0.0.0]
OVAL: [Windows-F-oval.xml]
Product name: [scaptool]
Product version: []
Schema version: [5.4]
Timestamp: [2/24/2012]
Start SCAP to DCM conversion...
Processing SCAP data stream: scap_tst.bvt_datastream_Windows-F.zip
Processing CPE dictionary: scap_tst.bvt_comp_Windows-F-cpe-dictionary.xml
…
Generating CI baseline cab file: C:\28\bbt\xccdf_tst.bvt_benchmark_Windows-F[xccdf_tst.bvt_profile_version_1.0.0.0].cab
Successfully generated CI baseline cab file: C:\28\bbt\xccdf_tst.bvt_benchmark_Windows-F[xccdf_tst.bvt_profile_version_1.0.0.0].cab
Successfully converted XCCDF profile: xccdf_tst.bvt_profile_version_1.0.0.0 into DCM baseline xccdf_tst.bvt_benchmark_Windows-F[xccdf_t
st.bvt_profile_version_1.0.0.0].cab
Import the Compliance Settings Compliant .cab files into System Center Configuration Manager
The next step in the process is to use the Configuration Manager Console to import the Compliance Settings-compliant .cab files into Configuration Manager. When you import the .cab files you created earlier in this process, one or more configuration items and configuration baselines are created in the Configuration Manager database. Later in the process you can assign each of the configuration baselines to a computer collection in Configuration Manager.
To import the Compliance Settings compliant .cab files into Configuration Manager
-
Open the Configuration Manager Console.
-
In the Configuration Manager Console, in the navigation pane, go to Assets and Compliance | Compliance Settings | Configuration Baselines.
-
In the actions pane, click Import Configuration Data.
The Import Configuration Data Wizard starts.
-
ii. Complete the Import Configuration Data Wizard using the information in the following table and accepting the default values unless otherwise specified.
Wizard page name
User action
Choose files
1. Click Add.
The Open dialog box appears.
2. In the Open dialog box, go to the <compliant cab output_folder>, click the <compliant_cab>.cab file, where compliant cab output_folder is the folder that we specified following the –output switch when we ran the scaptodcm tool, and compliant_file is the name of a .cab file you created earlier in the process, and then click Open.
The Configuration Manager Console – Security Warning dialog box appears.
3. In the Configuration Manager Console - Security Warning dialog box, click Run.
On the Choose Files page, the configuration data appears in the list of baselines to import.
4. Click Next.
Summary
5. Click Next.
Completing the Import Configuration Data Wizard
6. Click Close.
The new configuration baseline appears in the information pane of the Configuration Manager Console.
Important
You need to repeat this process for each .cab file that you created earlier in the process. There is a .cab file for each selected profile in XCCDF/DataStream XML file that you downloaded from the NVD Web site, which you can process by running the SCAPTODCM.exe tool.
The imported configuration baseline is read only and has a Status of Enabled and an initial Deployed state of No. The Date Modified property indicates the time that the baseline was imported.
The name of the configuration baseline is taken from the display name section of the XCCDF/Datastream XML and is constructed using the following convention: ABC[XYZ], where ABC is the XCCDF Benchmark ID, and XYZ is the XCCDF Profile ID (if a profile is selected).
Assign configuration baselines to the computer collections
After creating the appropriate computer collections for the computers that you want to assess for SCAP compliance, you are ready to assign the configuration baselines that you imported to associate with the computer collections. This section provides you with information to assign a configuration baseline to a computer collection using the Configuration Manager Console.
To assign a configuration baseline to a computer collection
-
Open the Configuration Manager Console.
-
2. In the Configuration Manager Console, in the navigation pane, go to Assets and Compliance | Compliance Settings | Configuration Baselines.
-
3. In the navigation pane, click <configuration_baseline>, where <configuration_baseline> is the name of the configuration baseline that you want to assign to a computer collection.
The list of configuration items for the configuration baseline displays in the information pane of Configuration Manager.
-
In the actions pane, click Deploy.
-
Complete the Deploy Configuration Baseline Dialog using the information in the following table and accepting the default values unless otherwise specified.
Wizard page name
User action
Choose Collection
1. Click Browse.
2. In the Select Collection dialog box, select ‘Device Collections’ then click <computer_collection>, where <computer_collection> is the name of the computer collection that you created earlier in the process, and then click OK.
Set Schedule
3. Select the schedule that is appropriate for your organization.
Important
Repeat this process for each computer collection that you want to assign to each configuration baseline. At a minimum, assign each configuration baseline to at least one computer collection.
Verify that the compliance data has been collected
Before exporting the compliance data back to SCAP format, you need to verify that the data has been collected. After you assign a configuration baseline to a computer collection, the Configuration Manager client on each computer in the collection automatically gathers the compliance information. Then the compliance information is stored in the Configuration Manager database.
You view the status of the configuration baseline deployment in Configuration Manager to ensure that the appropriate data has been collected by the Configuration Manager clients. It is important to verify that the appropriate compliance data has been collected in Configuration Manager because it can help you validate the XCCDF/DataStream results files that you create later in the process.
Verify that the compliance data has been collected
Open the Configuration Manager Console.
In the Configuration Manager Console, in the navigation pane, go to Monitoring| Deployments.
Click the Feature Type to sort the deployment type and find items that type are ‘Baseline’ in the list.
Right click the <configuration_baseline> in the list that you just deployed to the collection, and click View Status.
Then move to the <configuration_baseline> node to view the compliant status, if there is machine under the unknown state, then it means the compliance data collection is still not completed for that machine.
Export compliance results to SCAP
The next task in the process is to export the Compliance Settings compliance data to SCAP format, which is an ARF report file in XML/human-readable format. The DCMTOSCAP.exe tool exports a separate XCCDF/DataStream ARF results file for each Compliance Settings configuration baseline. These files correspond to each XCCDF/DataStream input file that the SCAPTODCM.exe tool uses to create each Compliance Settings configuration baseline.
Export the Compliance Settings compliance data to an XCCDF/DataStream ARF results file
Click Start > All Programs > SCAP Extensions > SCAP Extensions.
At the command prompt, type the command-line parameters listed in the following table, and then press ENTER.
Note
Your account must have read permissions for the Configuration Manager site database, and also have write permissions for the out folder specified in the –out parameter of the command line.
For SCAP 1.0/1.1 content (such as USGCB and DISA content):
dcmtoscap –xccdf <xccdf.xml> -cpe <cpe.xml> -server <CMSiteServerMachineName> -database <CMSiteDatebaseName> -collection <deviceCollectionID> -select <xccdfBenchmark/profile> -out <outputResultFolder>
Note
You should use the –select parameter to specify the benchmark/profile which has been evaluated on the clients if there are multiple benchmark/profile in the content.
For SCAP1.2 content (such as the latest USGCB content):
dcmtoscap –scap <scapdatastreamfile.xml> -server <CMSiteServerMachineName> -database <CMSiteDatebaseName> -collection <deviceCollectionID> -select <datastream/xccdfBenchmark/profile> -out <outputResultFolder>
Note
You should use the –select parameter to specify the datastream/benchmark/profile which has been evaluated on the clients if there are multiple datastream/benchmark/profile in the content.
For single OVAL file with external variables:
dcmtoscap –oval <singleOvalFile.xml> [-variable <externalVariableFile.xml>] -server <CMSiteServerMachineName> -database <CMSiteDatebaseName> -collection <deviceCollectionID> -out <outputResultFolder>
Note
The DCMToSCAP will only generate OVAL definition results report for each target machine, the ARF report will not be generated.
Parameter |
Usage |
Required |
|---|---|---|
-server [SQLServer\\SQLInstance] |
Specify the name of Configuration Manager site database server and the SQL instance. |
Yes |
-database [SQLDatabase] |
Specify the name of the Configuration Manager site database. |
Yes |
-collection [collection id] |
Specify the collection id to generate the SCAP report. |
Yes (when -machine is not specified) |
-machine [machine name] |
Specify the computer name to generate the SCAP report. |
Yes (when -collection is not specified) |
-organization [organization name] |
Specify the organization name, which would be displayed in report. It can be separated by ';' to specify a multi-line organization name. |
No |
-type [thin/full/fullnosc] |
Specify the OVAL result type: thin result or full result or full result without system characteristic. |
No (if no specified, then the default value is full) |
-scap [scap data stream file] |
Specify the SCAP data stream file. |
Yes (for SCAP 1.2 data stream, mutually exclusive with -xccdf and -oval / -variable) |
-xccdf [xccdf file] |
Specify the XCCDF file. |
Yes (for SCAP 1.0/1.1 XCCDF, mutually exclusive with -scap and -oval / -variable) |
-oval [oval file] |
Specify the OVAL file. |
Yes (for standalone OVAL file, mutually exclusive with -xccdf and -scap |
-variable [oval external variable file] |
Specify the OVAL external variable file. |
No (optional for standalone OVAL file when there is an external OVAL variable file, mutually exclusive with -xccdf and -scap) |
-select [-xccdf benchmark/profile] |
Select XCCDF benchmark, profile from either the SCAP data stream or XCCDF file. |
Yes (a selection must be made to generate a report so that we can match the corresponding DCM baseline in Configuration Manager database) |
-out [output directory] |
Specify where to output the Compliance Settings cab file. |
No (if no specified, then the tool would only list the content without conversion) |
-log [log file] |
Specify the log file. |
No (if not specified, then the log is written to SCAPToDCM.log file) |
-help / -? |
Print out tool usage. |
No |
Tip
You can specify the -? –h, or –help parameter to display the syntax of the DCMTOSCAP.exe tool and a list of the parameters.
By default, the DCMTOSCAP.exe tool accesses the Configuration Manager database using your credentials. The DCMTOSCAP.exe tool requires a minimum of read access to the Configuration Manager database.
After verifying that the appropriate ARF report: ARF_xxxx.xml and/or Human-readable report: xxx.txt, Cyberscope report: LASR_xxx.xml, ConsumedOval report: xx-oval-<machineName>.xml, XCCDF Benchmark result report: xccdf_xxx.xml files exist, on the command line, type exit and then press ENTER to exit the command prompt.